Brotli not decoded properly

Question

Brotli not decoded properly

adkrz opened this issue 3 months ago · comments

Describe the bug

When connecting to the server using header:
Accept-Encoding: gzip, deflate, br
and getting brotli encoded response, the response preview shows binary data and is not decoded.

Steps to reproduce the behavior

Go to local proxy properties and make sure, that removing Accept-Encoding header is disabled and decoding response is enabled
Navigate to the site that supports brotli encoding using manual request editor or using browser
Observe the body of response

Expected behavior

Response body should be decompressed, just like with gzip or deflate

Software versions

ZAP
Version: 2.14.0

Installed Add-ons: [[id=alertFilters, version=19.0.0],
[id=ascanrules, version=63.0.0], [id=authhelper,
version=0.12.0], [id=automation, version=0.35.0],
[id=browserView, version=6.0.0], [id=bruteforce,
version=15.0.0], [id=callhome, version=0.11.0],
[id=commonlib, version=1.22.0], [id=custompayloads,
version=0.13.0], [id=database, version=0.3.0], [id=diff,
version=14.0.0], [id=directorylistv1, version=7.0.0],
[id=domxss, version=18.0.0], [id=encoder, version=1.4.0],
[id=exim, version=0.8.0], [id=formhandler, version=6.5.0],
[id=fuzz, version=13.12.0], [id=gettingStarted,
version=16.0.0], [id=graaljs, version=0.5.0], [id=graphql,
version=0.23.0], [id=help, version=17.0.0], [id=hud,
version=0.18.0], [id=invoke, version=14.0.0], [id=jsonview,
version=3.0.0], [id=network, version=0.14.0], [id=oast,
version=0.17.0], [id=onlineMenu, version=12.0.0],
[id=openapi, version=39.0.0], [id=postman, version=0.2.0],
[id=pscanrules, version=56.0.0], [id=quickstart,
version=44.0.0], [id=replacer, version=16.0.0], [id=reports,
version=0.30.0], [id=requester, version=7.4.0], [id=retest,
version=0.8.0], [id=retire, version=0.32.0], [id=reveal,
version=7.0.0], [id=scripts, version=45.0.0], [id=selenium,
version=15.19.0], [id=soap, version=21.0.0], [id=spider,
version=0.10.0], [id=spiderAjax, version=23.18.0], [id=tips,
version=12.0.0], [id=webdriverlinux, version=75.0.0],
[id=websocket, version=30.0.0], [id=zest, version=43.0.0]]

System operacyjny: Linux
Architecture: amd64
Wersja Java: Ubuntu 11.0.22
System's Locale: pl_PL
Display Locale: pl_PL
Format Locale: pl_PL
Default Charset: UTF-8
Katalog domowy ZAP: /home/redacted/.ZAP/
ZAP Installation Directory: /snap/zaproxy/28/./
Look and Feel: FlatLaf Darcula (com.formdev.flatlaf.FlatDarculaLaf)

Screenshots

Errors from the zap.log file

No response

Additional context

No response

Would you like to help fix this issue?

Yes

thc202 · Answer 1 · Sat Mar 16 2024 04:59:14 GMT+0800 (China Standard Time)

Anything in the log?

thc202 · Answer 2 · Sat Mar 16 2024 05:05:54 GMT+0800 (China Standard Time)

fwiw

GET https://www.zaproxy.org/ HTTP/2
accept-encoding: br

HTTP/2 200
date: Fri, 15 Mar 2024 21:05:14 GMT
content-type: text/html; charset=utf-8
...
server: cloudflare
content-encoding: br
alt-svc: h3=":443"; ma=86400

<!doctype html>
<html lang="en">

Would be good to know if this one works for you.

adkrz · Answer 3 · Sat Mar 16 2024 05:24:04 GMT+0800 (China Standard Time)

Nothing interesting in the logs, unfortunately.
The request from your example also gives me binary output.
I also tried the Windows version with the same result:

Rick M · Answer 4 · Sat Mar 16 2024 06:20:19 GMT+0800 (China Standard Time)

I guess this isn't in 2.14?

thc202 · Answer 5 · Sat Mar 16 2024 15:03:14 GMT+0800 (China Standard Time)

Yeah, it's that (was using dev...).

thc202 · Answer 6 · Sat Mar 16 2024 15:04:33 GMT+0800 (China Standard Time)

@adkrz could you try with a weekly? https://www.zaproxy.org/download/#weekly

adkrz · Answer 7 · Sat Mar 16 2024 15:25:00 GMT+0800 (China Standard Time)

@thc202 : yes, it was 2.14 in both Linux and Windows.
I tried the weekly version and it works.

Rick M · Answer 8 · Sat Mar 16 2024 18:32:21 GMT+0800 (China Standard Time)

Thanks for confirming.