OpenAPI scan
73 views
Skip to first unread message
Julia Khanbekova
Nov 10, 2025, 7:33:49 AMNov 10
to ZAP User Group
Hi, Simon,
I'm running an OpenAPI scan and encountered an issue with path parameter substitution.
I have an endpoint defined as /test/{test_id}/test
But during the scan, ZAP sends the request as:
POST /test//test
Content-Type: application/json
{"name":"ZAP","code":"John Doe","description":"Zaproxy alias impedit expedita quisquam pariatur exercitationem. Nemo rerum eveniet dolores rem quia dignissimos.","reference_group":"John Doe"}
ZAP doesn’t substitute the {test_id} parameter, even though it’s defined as required in the OpenAPI spec:
"/test/{test_id}/test":{
"post":{
"tags":["test","test test"],
"summary":"test test",
"description":"test test",
"operationId":"post",
"parameters":[{
"name":"test_id",
"in":"path",
"description":"ID test",
"required":true,
"schema":{
"type":"string",
"format":"uuid"
}
}],
"requestBody":{
"content":{
"application/json":{
"schema":{
"$ref":"#/***"
}
}
},
"required":true
},
"responses":{
"400":{
"description":"Bad Request",
"content":{
"*/*":{
"schema":{
"$ref":"#/***"
}
}
}
},
"200":{
"description":"OK",
"content":{
"application/json":{
"schema":{
"$ref":"#/***"
}
}
}
}
}
}
}
Could you please help me understand why ZAP doesn’t substitute the test_id value and sends /test//test instead?
I'm running an OpenAPI scan and encountered an issue with path parameter substitution.
I have an endpoint defined as /test/{test_id}/test
But during the scan, ZAP sends the request as:
POST /test//test
Content-Type: application/json
{"name":"ZAP","code":"John Doe","description":"Zaproxy alias impedit expedita quisquam pariatur exercitationem. Nemo rerum eveniet dolores rem quia dignissimos.","reference_group":"John Doe"}
ZAP doesn’t substitute the {test_id} parameter, even though it’s defined as required in the OpenAPI spec:
"/test/{test_id}/test":{
"post":{
"tags":["test","test test"],
"summary":"test test",
"description":"test test",
"operationId":"post",
"parameters":[{
"name":"test_id",
"in":"path",
"description":"ID test",
"required":true,
"schema":{
"type":"string",
"format":"uuid"
}
}],
"requestBody":{
"content":{
"application/json":{
"schema":{
"$ref":"#/***"
}
}
},
"required":true
},
"responses":{
"400":{
"description":"Bad Request",
"content":{
"*/*":{
"schema":{
"$ref":"#/***"
}
}
}
},
"200":{
"description":"OK",
"content":{
"application/json":{
"schema":{
"$ref":"#/***"
}
}
}
}
}
}
}
Could you please help me understand why ZAP doesn’t substitute the test_id value and sends /test//test instead?
Message has been deleted
Julia Khanbekova
Nov 30, 2025, 7:23:53 AM (12 days ago) Nov 30
to ZAP User Group
Simon, сan you explain this program behavior and how to properly configure scanning?
Julia Khanbekova
Dec 3, 2025, 2:36:46 AM (9 days ago) Dec 3
to ZAP User Group
Can you please provide advice?
Simon Bennetts
Dec 4, 2025, 11:30:25 AM (7 days ago) Dec 4
to ZAP User Group
Hi Julia,
I would have answered this question ages ago .. but you kept asking for updates :/
I was not deliberately ignoring you, but I have a separate mail folder for all ZAP User Group questions.
I leave them unread until I answer them, and I always do that in reverse order.
If you post asking for an update then that actually delays when I will reply as the email thread looks more recent :D
I leave them unread until I answer them, and I always do that in reverse order.
If you post asking for an update then that actually delays when I will reply as the email thread looks more recent :D
I've just tried your spec and when I imported it into ZAP the "test_id" parameter was correctly identified as being a parameter, but yes, ZAP still specified test_id for it.
Strictly speaking ZAP should specify a UUID .. but will a random UUID actually work in your app?
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages