Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenAPI - Use Path & Query Examples from OpenApi Spec #5913

Closed
J12934 opened this issue Mar 25, 2020 · 2 comments
Closed

OpenAPI - Use Path & Query Examples from OpenApi Spec #5913

J12934 opened this issue Mar 25, 2020 · 2 comments
Labels
add-on duplicate enhancement

Comments

@J12934
Copy link
Contributor

J12934 commented Mar 25, 2020

Is your feature request related to a problem? Please describe.

When Importing a OpenApi / Swagger Definition the Query parameters name and values are always the same, e.g. search.php?query=query.

In simple examples this often work ok(ish) , but when endpoint require certain formats, like dates, this will cause the parameter validation to always fail.

For example an endpoint which is normally addressed with:
GET /appointments?from=25.3.2020&to=28.3.2020
Will get imported as:
GET /appointments?from=from&to=from

The Active Scanner will then try to fuzz the endpoint one parameter at a time, but as one parameter is always set to the value from or to the actual endpoint / controller code is never triggered as the input validation is always triggered and the only thing that was being tested is the input validation.
This is more relevant if the parameters don't share the same validation rules and one might allows attack string to pass through while the other one doesn't

Describe the solution you'd like

Since OpenAPI v3 it is now possible to provide example values also in the path and query section of the API definition. (In OpenAPI v2 this was often done using a non-standard x-example attribute)

It would be great if the OpenAPI plugin would be able to use the example (if set) to populate the default value of the requests with the example, to have it set to something the validation is likely to accept.

Describe alternatives you've considered

So far we've been using the Replacer plugin to replace string like =from with proper values like =25.3.2020 in the Header String.

This works ok(ish) but is a lot of work.

Additional context

Possibly related to #3344, but as far as I can tell this one didn't include query and path values.

Would you like to help implementing this feature?

Yes 😀
I've started looking for the code where this is implemented, and found this part here: https://github.com/zaproxy/zap-extensions/blob/master/addOns/openapi/src/main/java/org/zaproxy/zap/extension/openapi/generators/PathGenerator.java#L42
@thc202 thc202 added the add-on label Apr 5, 2020
@thc202
Copy link
Member

thc202 commented Apr 5, 2020

Merging into #5168, which is now generic (better tracking all places in the same issue).

@J12934 comment in that issue if you are still working on this issue so we can assign to you.

@thc202 thc202 closed this as completed Apr 5, 2020
@J12934 J12934 mentioned this issue Apr 6, 2020
Closed
@rseedorff rseedorff mentioned this issue Apr 15, 2020
Open
@github-actions
Copy link

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked and limited conversation to collaborators Jul 12, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
add-on duplicate enhancement
Milestone
No milestone
Development

No branches or pull requests
2 participants
@thc202 @J12934