You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
When Importing a OpenApi / Swagger Definition the Query parameters name and values are always the same, e.g. search.php?query=query.
In simple examples this often work ok(ish) , but when endpoint require certain formats, like dates, this will cause the parameter validation to always fail.
For example an endpoint which is normally addressed with: GET /appointments?from=25.3.2020&to=28.3.2020
Will get imported as: GET /appointments?from=from&to=from
The Active Scanner will then try to fuzz the endpoint one parameter at a time, but as one parameter is always set to the value from or to the actual endpoint / controller code is never triggered as the input validation is always triggered and the only thing that was being tested is the input validation.
This is more relevant if the parameters don't share the same validation rules and one might allows attack string to pass through while the other one doesn't
Describe the solution you'd like
Since OpenAPI v3 it is now possible to provide example values also in the path and query section of the API definition. (In OpenAPI v2 this was often done using a non-standard x-example attribute)
It would be great if the OpenAPI plugin would be able to use the example (if set) to populate the default value of the requests with the example, to have it set to something the validation is likely to accept.
Describe alternatives you've considered
So far we've been using the Replacer plugin to replace string like =from with proper values like =25.3.2020 in the Header String.
This works ok(ish) but is a lot of work.
Additional context
Possibly related to #3344, but as far as I can tell this one didn't include query and path values.
Is your feature request related to a problem? Please describe.
When Importing a OpenApi / Swagger Definition the Query parameters name and values are always the same, e.g.
search.php?query=query
.In simple examples this often work ok(ish) , but when endpoint require certain formats, like dates, this will cause the parameter validation to always fail.
For example an endpoint which is normally addressed with:
GET /appointments?from=25.3.2020&to=28.3.2020
Will get imported as:
GET /appointments?from=from&to=from
The Active Scanner will then try to fuzz the endpoint one parameter at a time, but as one parameter is always set to the value
from
orto
the actual endpoint / controller code is never triggered as the input validation is always triggered and the only thing that was being tested is the input validation.This is more relevant if the parameters don't share the same validation rules and one might allows attack string to pass through while the other one doesn't
Describe the solution you'd like
Since OpenAPI v3 it is now possible to provide example values also in the path and query section of the API definition. (In OpenAPI v2 this was often done using a non-standard
x-example
attribute)It would be great if the OpenAPI plugin would be able to use the example (if set) to populate the default value of the requests with the example, to have it set to something the validation is likely to accept.
Describe alternatives you've considered
So far we've been using the Replacer plugin to replace string like
=from
with proper values like=25.3.2020
in the Header String.This works ok(ish) but is a lot of work.
Additional context
Possibly related to #3344, but as far as I can tell this one didn't include query and path values.
Would you like to help implementing this feature?
Yes 😀
I've started looking for the code where this is implemented, and found this part here: https://github.com/zaproxy/zap-extensions/blob/master/addOns/openapi/src/main/java/org/zaproxy/zap/extension/openapi/generators/PathGenerator.java#L42
The text was updated successfully, but these errors were encountered: