SOAP WSDL IMPORT DOES NOT PRODUCE ANY RESULT

[Gabriele Bertolini]

Hi team,

I'd like to ask for your help...

I'm tring to start an API dast on a SOAP endpoint.

But trying to import the wsdl configuration nothing appens... the request are not mapped and no errors are displayed.

Details of the wsdl header:

Version of zap: 2.12.0

Soap support plugin: 17.0.0

Thank you in advance!!!

[Simon Bennetts]

Are there any errors in the zap.log file?

https://www.zaproxy.org/faq/somethings-not-working-what-should-i-do/#check-the-log-file

Can you share an obfuscated version of the whole file, or just a small subset which you have checked also doesnt work?

Cheers,

Simon

[Gabriele Bertolini]

Here the exception:

2023-04-20 11:33:37,677 [ZAP-Import-WSDL-1] ERROR WSDLCustomParser - There was an error while parsing WSDL content.

I've resolved it importing locally the wsdl and the xsd schema.

But doing the scan with the automation plugin, active scan doesn't start:

2023-04-20 12:30:58,384 [ZAP-Automation] INFO  CommandLine - Job activeScan started
2023-04-20 12:30:58,403 [ZAP-Automation] INFO  Scanner - scanner started
2023-04-20 12:30:58,418 [ZAP-Scanner-0] INFO  HostProcess - No nodes to scan from https://*******, skipping all plugins.

 and reports doesn't show any alert.

[Gabriele Bertolini]

Thank you in advance!

[Simon Bennetts]

Are any endpoints imported?

You should see any that are in the Sites tree.

[Gabriele Bertolini]

Endpoint are imported correctly.



Passive scan have findings:


Active scan don't do anything.



Report don't have any finding.

I have to launch manually the active scan selecting the site in order to active scan it.

[Gabriele Bertolini]

Putting into the context not the start point of the rest api (eg: http://example.com/API/REST) but the fqdn (eg: http://example.com) the active scan is doing his job!

In general, configuring APIs scans do you recommend to insert into the context the entire site?

Thank you!