ZAP-API: unable to create new context using context API and access url by using accessUrl api.

[lakshmi]

Hi Team

We are trying to integrate ZAP APIs with Bamboo CI tool. For this wanted to use 'curl' commands to run APIs from a script. However facing below issues.

Approach:

1. Start ZAP in daemon mode

Go to ZAP folder> ./zap.bat -daemon -config api.disablekey=true

2. access ZAP API page: localhost:8090

3. Component Core:

GET method>pass the url: https://xx-xx.test.com/covers/

4. Click accessUrl button

5. new tab with response url:

http://localhost:8090/JSON/core/action/accessUrl/?zapapiformat=JSON&formMethod=GET&url=https%3A%2F%2Fxx-xx.test.com%2Fcovers%2F&followRedirects=

around 10 lines of response data

When used the same response url with curl command getting missing parameter 'url'

curl http://localhost:8090/JSON/core/action/accessUrl/?zapapiformat=JSON&formMethod=GET&url=https%3A%2F%2Fxx-xx.test.com%2Fcovers%2F&followRedirects=

[ZAP-ProxyThread-1] WARN org.zaproxy.zap.extension.api.API  - ApiException while handling API request:

Missing Parameter (missing_parameter) : url

        at org.zaproxy.zap.extension.api.API.handleApiRequest(Unknown Source)

        at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(Unknown Source)

        at org.parosproxy.paros.core.proxy.ProxyThread.run(Unknown Source)

        at java.lang.Thread.run(Unknown Source)

Issue 2:

While creating new context using newContext API, facing the same issue. Missing parameter-contextName

Please guide what i am doing wrong.

[thc...@gmail.com]

Hi.

The API calls are correct, maybe some of the chars need to be escaped
when calling form the command line?

Could you execute the curl commands with -v and check what's really
being sent?

Best regards.

[lakshmi]

Thanks for the reply.

I have tried with -v. getting below response (400 bad request)

command:

curl -v http://localhost:8090/JSON/core/action/accessUrl/?zapapiformat=JSON&formMethod=GET&url=https://xx-xx.test.com/covers/&followRedirects=

$ *   Trying 127.0.0.1...

* TCP_NODELAY set

* Connected to localhost (127.0.0.1) port 8090 (#0)

> GET /JSON/core/action/accessUrl/?zapapiformat=JSON HTTP/1.1

> Host: localhost:8090

> User-Agent: curl/7.53.0

> Accept: */*

>

< HTTP/1.1 400 Bad Request

< Pragma: no-cache

< Cache-Control: no-cache

< Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src 'self'; child-src 'self'; img-src 'self' data:; font-src 'self' data:; style-src 'self'

< Referrer-Policy: no-referrer

< Access-Control-Allow-Methods: GET,POST,OPTIONS

< Access-Control-Allow-Headers: ZAP-Header

< X-Frame-Options: DENY

< X-XSS-Protection: 1; mode=block

< X-Content-Type-Options: nosniff

< X-Clacks-Overhead: GNU Terry Pratchett

< Content-Length: 58

< Content-Type: application/json; charset=UTF-8

<

{ [58 bytes data]

100    58  100    58    0     0    264      0 --:--:-- --:--:-- --:--:--   264{"code":"missing_parameter","message":"Missing Parameter"}

* Connection #0 to host localhost left intact

Please help.

[thc...@gmail.com]

Seems the ampersands need to be escaped (note that in the request URI
it's missing the parameters after the first ampersand).

Best regards.

[lakshmi]

Thanks for the guiding.

Though tried with escaped ampersands (&with %26) getting the same error, missing parameters.

Please guide.

[thc...@gmail.com]

In the command line the escape is done with char \
so: \&

Best regards.

[lakshmi]

Thanks a ton.

Working fine now after replacing with \&.