ZAP Form handler Issues

[shafi mohammed]

We are trying to scan APIs which has an open API definition:

I have some questions here :

1. From the UI if i try to import the Swagger Defnition we have 2 filed there : 

  a. The url where the open api defnition has to be imported 

  b. the actual target url 

in the zap apiscan.py how can i pass these two parameter ? How can i see what all the endpoints imported from the open api defnition ? How can i see whether my form  hanlder addon configurations are working fine ?

2. If use the zap UI api and import the api defnition it is working with the form handler confiuration .

but when i run zap as a daemon and use localapi , the form handler configurations are not working ? is there any way to add the form handler configuration here ?

docker run  --name zap -d  -u zap -p 8080:8080 -i owasp/zap2docker-stable zap.sh -daemon -host 0.0.0.0 -port 8080  -config formhandler.fields.field\\(0\\).fieldId=abcd -config formhandler.fields.field\\(0\\).value=efgh -config formhandler.fields.field\\(0\\).enabled=true  -config formhandler.fields.field(1\\).fieldId=qqqq   -config formhandler.fields.field\\(1\\).value=abcdefgh -config formhandler.fields.field\\(1\\).enabled=true -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true -config api.disablekey=true -config connection.timeoutInSecs=60

[Simon Bennetts]

Hi,

The packaged API scan does not currently support the target URL.

However the Automation Framework (AF) openapi job does support it: https://www.zaproxy.org/docs/desktop/addons/openapi-support/automation/

Note that while the AF is at a relatively early stage we are migrating the packaged scans to use it, so in your case I think it could be a good option.

The AF supports job tests which can check things like ZAP stats.

You can use a job test to check that the expected number of URLs have been added - see the openapi.urls.added key on https://www.zaproxy.org/docs/internal-statistics/

The AF does not currently have explicit support for the form handler, but it should use any values set via the config options.

Try running the ZAP desktop from the command line with the options - you will then be able to see if they have been correctly applied.

Ypou might be running into an escaping problem - you can put the options in a config file which might help.

Cheers,

Simon