globalexcludeurl.url_list.url(0).regex=.*revoke.* doesn't seem to work with zap-api-scan.py

[Clément Ronzon]

Hi,

I am using the dockerized zap-api-scan.py this way:
docker run --rm -v "$(pwd)":/zap/wrk/:rw --user root -t ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py -t swagger.json -f openapi -z "-configfile /zap/wrk/options.prop" -r active-scan-report.html -J active-scan-report.json

and options.prop contains the following:
globalexcludeurl.url_list.url(0).regex=.*revoke.*
globalexcludeurl.url_list.url(0).enabled=true

Though, looking at the report, the urls with "revoke" in them were not excluded.

What am I doing wrong please?

Thanks.

[psiinon]

Hiya,

You are possibly doing nothing wrong - I've just tried it in the desktop and it looks like the Open API add-on ignores the global excludes :(

Thats a bug - the global excludes should be a good way to stop specific endpoints from being imported.

I think the other API import jobs will act in the same way so I've raised: https://github.com/zaproxy/zaproxy/issues/8022

Don't forget that giving the first comment of an issue a 👍 will help raise an issues priority...

Cheers,

Simon

--
You received this message because you are subscribed to the Google Groups "ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/aa416cfe-5226-4fff-831a-c17848d5ba17n%40googlegroups.com.

--

ZAP Project leader

[Clément Ronzon]

TY for opening the ticket!

Please, is there a workaround?

[psiinon]

You could create an httpsender script which 404's the URLs you dont want to be accessed.

We have some proxy scripts which you could convert: https://github.com/zaproxy/community-scripts/tree/main/proxy

Also see https://www.zaproxy.org/faq/how-do-you-add-a-script-to-zap-from-the-command-line/

Cheers,

Simon

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/cbe7c2fe-13b7-41cd-a7e5-924c015c86acn%40googlegroups.com.

--

ZAP Project leader

[Clément Ronzon]

It seems to be working, TYVM. Here is what I implemented:

I added the following to the options.prop file:
script.scripts.name=Prevents revoke endpoints to be called
script.scripts.engine=Oracle Nashorn
script.scripts.type=httpsender
script.scripts.enabled=true
script.scripts.file=/zap/wrk/prevent-revoke.js

Here is the content of prevent-revoke.js file:
var URI = Java.type("org.apache.commons.httpclient.URI")

function sendingRequest(msg, initiator, helper) {
    var originalRequestUri = msg.getRequestHeader().getURI().toString();
    if (originalRequestUri && originalRequestUri.indexOf("revoke") !== -1) {
        var requestUri = msg.getRequestHeader().getURI()
        requestUri = new URI(requestUri.getScheme(),
            requestUri.getUserinfo(),
            requestUri.getHost(),
            requestUri.getPort(),
            "/ping")
        msg.getRequestHeader().setURI(requestUri);
        print("Calling " + msg.getRequestHeader().getURI().toString() + " instead of " + originalRequestUri);
    }
}

function responseReceived(msg, initiator, helper) {
}

Please don't hesitate to let me know if you see any possible performance improvement.

Thanks.