Lack of TLS certification chain validation in ZAP Proxy

[Gabriel Corona <gabriel.corona () enst-bretagne fr>]

ZAP proxy does not verify the certificate chain of the HTTPS servers it 
connects to. For example, it connects without warning to servers 
presenting a self-signed certificate, an expired certificate, etc.

This opens up a browser configured to use ZAP as an intercepting proxy to:

1. man-in-the-middle (MITM) attacks;
2. DNS rebinding attacks (to HTTPS servers configured as default virtual 
server).

--
Gabriel