New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use example values when importing OpenAPI definitions #5168
Comments
Yeah, sounds like a restriction that it would be good to fix. |
Of course, I use this tool every day. I would be very happy to make some contributions for its improvement. Thanks! |
The code that generates the values for the parameters is: so, default |
On first sight it seems that |
👍 |
@tinplinplin I can't speak to the use of that particular library class. But, basically it needs to get/parse the examples (when available) and use those values instead of defaults. If there are (or can be) multiple examples then pick first/last (as long as we document it) or most complete (# of param if some are optional) [I assume that's a thing ...] |
We faced the same issue while API scan using swagger file for POST methods which expects a request body. The ZAP scan takes the default value as "John Doe" for all types. Due to this, our the scan response is always 400 bad request. Is there any way we can customise the inputs? How can we make sure that ZAP does pen testing(active scan) and the alerts are correct, since we are seeing each request is handling with the input value as 'John Doe' only. @psiinon could you please help on this? |
@greeshg this is explained in the help: https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsOpenapiOpenapi#user-specified-values |
Hi, I tried by passing as "default" parameter and value for those particular request body parameters in openAPI swagger json file, but it didn't take those default values while running active scan through ZAP tool, it always takes "john doe" for all string parameters in request body. I tried those options which is given in above links with using 'replacer option" in ZAP tool in that way it worked, but it is so lengthy and tedious task to do as I have more around 100 or more fields. Does anybody know if there is any option to pass default values for request body paramaters in openAPI swagger jason file itself which should work for ZAP tool? Thank you in advance. |
@tinplinplin - did you fix this issue? Thanks in advance. |
This was not yet implemented (issues are usually closed once implemented). There are only workarounds mentioned above. |
Hi 👋 |
Hi, Thanks in advance. |
Answered in zaproxy/zap-extensions#2364 (comment) |
Released in version 16 of OpenAPI add-on. |
@thc202 Hi, thank you so much. |
You can update/install it from within ZAP, if you need to manually download it it's in: https://github.com/zaproxy/zap-extensions/releases/tag/openapi-v16 |
For the record, the add-ons page should now be showing the latest link/info. |
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Good afternoon! I've noticed that the API scanner doesn't include the examples described in the definitions file imported from Swagger. ZAP API Scanner forms the POST requests with random data, and not with the data included in the OpenApi 2.0 definitions file.
If I use the following JSON to import URL's into the scanner:
ZAP API Scanner sends the following request to the endpoint:
Instead of:
This prevents ZAP from consuming services without errors. How could I solve this problem? Thanks in advance!
The text was updated successfully, but these errors were encountered: