OpenAPI schema specifies a JSON array of objects, but ZAP sends a string
16 views
Skip to first unread message
Jernej Rus
Jan 9, 2026, 6:48:14 AM (3 days ago) Jan 9
to ZAP User Group
Hello. Some of our website's OpenAPI endpoints specify that the request body be a JSON array of objects. Abridged example:
"/subscribers/api/v2/": {
"post": {
"tags": [
"Subscribers API"
],
"summary": "Creates list of subscribers",
"description": "Creates list of subscribers",
"operationId": "Create subscribers",
"requestBody": {
"content": {
"application/json": {
"schema": {
"type": "array",
"items": {
"$ref": "#/components/schemas/Subscriber"
}
}
}
},
"required": true
},
"responses": {
"200": {
"description": "OK",
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/Report"
}
}
}
},
"500": {
"description": "Internal Server Error",
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/ErrorMessage"
}
}
}
}
},
"security": [
{
"subscriber-api": []
}
]
},
}
"post": {
"tags": [
"Subscribers API"
],
"summary": "Creates list of subscribers",
"description": "Creates list of subscribers",
"operationId": "Create subscribers",
"requestBody": {
"content": {
"application/json": {
"schema": {
"type": "array",
"items": {
"$ref": "#/components/schemas/Subscriber"
}
}
}
},
"required": true
},
"responses": {
"200": {
"description": "OK",
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/Report"
}
}
}
},
"500": {
"description": "Internal Server Error",
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/ErrorMessage"
}
}
}
}
},
"security": [
{
"subscriber-api": []
}
]
},
}
However, ZAP sends a string:
This causes the endpoints to respond with 400 Bad Request:
ZAP also logs a warning message. Example (with sensitive information masked):
1810763 [ZAP-ActiveScanner-16] WARN org.parosproxy.paros.core.scanner.VariantJSONQuery - Failed to parse the request body for url [MASKED]/subscriber-api/subscribers/api/v2/ : Input is invalid JSON; does not start with '{' or '[', c=34
java.lang.IllegalArgumentException: Input is invalid JSON; does not start with '{' or '[', c=34
at org.parosproxy.paros.core.scanner.VariantJSONQuery.parseObject(VariantJSONQuery.java:139) ~[zap-2.16.1.jar:2.16.1]
at org.parosproxy.paros.core.scanner.VariantJSONQuery.parseContent(VariantJSONQuery.java:89) ~[zap-2.16.1.jar:2.16.1]
at org.parosproxy.paros.core.scanner.VariantAbstractRPCQuery.setRequestContent(VariantAbstractRPCQuery.java:148) ~[zap-2.16.1.jar:2.16.1]
at org.parosproxy.paros.core.scanner.VariantAbstractRPCQuery.setMessage(VariantAbstractRPCQuery.java:60) [zap-2.16.1.jar:2.16.1]
at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scan(AbstractAppParamPlugin.java:91) [zap-2.16.1.jar:2.16.1]
at org.parosproxy.paros.core.scanner.AbstractPlugin.run(AbstractPlugin.java:391) [zap-2.16.1.jar:2.16.1]
at java.base/java.lang.Thread.run(Thread.java:840) [?:?]
java.lang.IllegalArgumentException: Input is invalid JSON; does not start with '{' or '[', c=34
at org.parosproxy.paros.core.scanner.VariantJSONQuery.parseObject(VariantJSONQuery.java:139) ~[zap-2.16.1.jar:2.16.1]
at org.parosproxy.paros.core.scanner.VariantJSONQuery.parseContent(VariantJSONQuery.java:89) ~[zap-2.16.1.jar:2.16.1]
at org.parosproxy.paros.core.scanner.VariantAbstractRPCQuery.setRequestContent(VariantAbstractRPCQuery.java:148) ~[zap-2.16.1.jar:2.16.1]
at org.parosproxy.paros.core.scanner.VariantAbstractRPCQuery.setMessage(VariantAbstractRPCQuery.java:60) [zap-2.16.1.jar:2.16.1]
at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scan(AbstractAppParamPlugin.java:91) [zap-2.16.1.jar:2.16.1]
at org.parosproxy.paros.core.scanner.AbstractPlugin.run(AbstractPlugin.java:391) [zap-2.16.1.jar:2.16.1]
at java.base/java.lang.Thread.run(Thread.java:840) [?:?]
I found no errors in our OpenAPI schemas. Does ZAP know how to send an array in the body, or is this a bug in ZAP?
Reply all
Reply to author
Forward
0 new messages