Use example values when importing OpenAPI definitions

[mcruz-gh]

Good afternoon! I've noticed that the API scanner doesn't include the examples described in the definitions file imported from Swagger. ZAP API Scanner forms the POST requests with random data, and not with the data included in the OpenApi 2.0 definitions file.

If I use the following JSON to import URL's into the scanner:

{
    "swagger": "2.0",
    "info": {
        "version": "1.0",
        "title": "Title"
    },
    "host": "redacted.com",
    "basePath": "/redacted",
    "schemes": [
        "https"
    ],
    "consumes": [
        "application/json"
    ],
    "produces": [
        "application/json"
    ],
    "paths": {
        "/redacted": {
            "post": {
                "parameters": [
                    {
                        "in": "body",
                        "name": "body",
                        "required": true,
                        "schema": {
                            "$ref": "#/definitions/redacted"
                        },
                        "x-examples": {
                            "default": "{\"AAA\": \"aaa\", \"BBB\": \"bbb\", \"CCC\": \"ccc\"}"
                        }
                    }
                ],
                "responses": {
                    "200": {
                        "description": "200 OK"
                    }
                }
            }
        }
    },
    "definitions": {
        "redacted": {
            "type": "object",
            "properties": {
                "AAA": {
                    "type": "string",
                    "example": "aaa"
                },
                "BBB": {
                    "type": "string",
                    "example": "bbb"
                },
                "CCC": {
                    "type": "string",
                    "example": "ccc"
                }
            }
        }
    }
}

ZAP API Scanner sends the following request to the endpoint:

POST /redacted HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Pragma: no-cache
Cache-Control: no-cache
Content-Length: redacted
Connection: close

{"AAA":"John Doe","BBB":"John Doe","CCC":"John Doe"}

Instead of:

POST /redacted HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Pragma: no-cache
Cache-Control: no-cache
Content-Length: redacted
Connection: close

{"AAA":"aaa","BBB":"bbb","CCC":"ccc"}

This prevents ZAP from consuming services without errors. How could I solve this problem? Thanks in advance!

[psiinon]

Yeah, sounds like a restriction that it would be good to fix.
@tinplinplin are you ok with trying to make the relevant changes? If so we can provide advice and guidance..

[mcruz-gh]

Of course, I use this tool every day. I would be very happy to make some contributions for its improvement. Thanks!

[thc202]

The code that generates the values for the parameters is:
https://github.com/zaproxy/zap-extensions/blob/d5b8667d9201d7c094124b3bb1c4dbc45d5c62a7/src/org/zaproxy/zap/extension/openapi/generators/DataGenerator.java#L112

so, default value to the example if set.

[mcruz-gh]

On first sight it seems that default values ​​are used for auto-populates body payloads, instead of values ​​that are supposed to be (example values). The Swagger Inflector library contains the ExampleBuilder class, used for this purpose. Is this the correct approach?

[mxbrandi]

👍

[kingthorin]

@tinplinplin I can't speak to the use of that particular library class. But, basically it needs to get/parse the examples (when available) and use those values instead of defaults. If there are (or can be) multiple examples then pick first/last (as long as we document it) or most complete (# of param if some are optional) [I assume that's a thing ...]

[ghost]

We faced the same issue while API scan using swagger file for POST methods which expects a request body. The ZAP scan takes the default value as "John Doe" for all types. Due to this, our the scan response is always 400 bad request. Is there any way we can customise the inputs? How can we make sure that ZAP does pen testing(active scan) and the alerts are correct, since we are seeing each request is handling with the input value as 'John Doe' only.

@psiinon could you please help on this?

[psiinon]

@greeshg this is explained in the help: https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsOpenapiOpenapi#user-specified-values
The form handler add-on is https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsFormhandlerFormHandlerHelp

[user23march]

Hi,
I am too facing the same issues that zap is replacing the request body field/parameter values with "john doe".

I tried by passing as "default" parameter and value for those particular request body parameters in openAPI swagger json file, but it didn't take those default values while running active scan through ZAP tool, it always takes "john doe" for all string parameters in request body.

I tried those options which is given in above links with using 'replacer option" in ZAP tool in that way it worked, but it is so lengthy and tedious task to do as I have more around 100 or more fields.

Does anybody know if there is any option to pass default values for request body paramaters in openAPI swagger jason file itself which should work for ZAP tool?

Thank you in advance.

[psiinon]

@user23march yes: https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsFormhandlerFormHandlerHelp

[user23march]

@tinplinplin - did you fix this issue?
I am still facing this issue with zap 2.9.
ZAP is not reading the example values for request body parameters from openApi swagger file.
@psiinon - the above link which you sent is for replacer option. It's possible when i have only few like 5 or 6 param to replace in request body but I want example values to be read during scan from
openApi swagger. As I have 100s of params or may be more in requestBody , so I need to be passed through example in openApi swagger. Can you please tell me the solution?

Thanks in advance.

[thc202]

This was not yet implemented (issues are usually closed once implemented).

There are only workarounds mentioned above.

[J12934]

Hi 👋
I've started working on this related to another related issue (#5913).
I've opened up a Draft Pull Request (zaproxy/zap-extensions#2364) as this is still work in progress, but to give everybody here a chance to help and give feedback change.

[user23march]

Hi,
Just wanted to know when this change is going to come and with which ZAP version?
I hope it includes -> reading example values of request body parameters from swagger json file (openAPI).
Please let me know.

Thanks in advance.

[thc202]

Answered in zaproxy/zap-extensions#2364 (comment)

[thc202]

Released in version 16 of OpenAPI add-on.

[user23march]

@thc202 Hi, thank you so much.
can you please provide the link for version 16?
I see version 15 only in zap addons link.

[thc202]

You can update/install it from within ZAP, if you need to manually download it it's in: https://github.com/zaproxy/zap-extensions/releases/tag/openapi-v16

[thc202]

For the record, the add-ons page should now be showing the latest link/info.

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.