OpenAPI schema specifies a JSON array of objects, but ZAP sends a string

[Jernej Rus]

Hello. Some of our website's OpenAPI endpoints specify that the request body be a JSON array of objects. Abridged example:

"/subscribers/api/v2/": {
  "post": {
    "tags": [
      "Subscribers API"
    ],
    "summary": "Creates list of subscribers",
    "description": "Creates list of subscribers",
    "operationId": "Create subscribers",
    "requestBody": {
      "content": {
        "application/json": {
          "schema": {
            "type": "array",
            "items": {
              "$ref": "#/components/schemas/Subscriber"
            }
          }
        }
      },
      "required": true
    },
    "responses": {
      "200": {
        "description": "OK",
        "content": {
          "application/json": {
            "schema": {
              "$ref": "#/components/schemas/Report"
            }
          }
        }
      },
      "500": {
        "description": "Internal Server Error",
        "content": {
          "application/json": {
            "schema": {
              "$ref": "#/components/schemas/ErrorMessage"
            }
          }
        }
      }
    },
    "security": [
      {
        "subscriber-api": []
      }
    ]
  },
}

However, ZAP sends a string:

This causes the endpoints to respond with 400 Bad Request:

ZAP also logs a warning message. Example (with sensitive information masked):

1810763 [ZAP-ActiveScanner-16] WARN  org.parosproxy.paros.core.scanner.VariantJSONQuery - Failed to parse the request body for url [MASKED]/subscriber-api/subscribers/api/v2/ : Input is invalid JSON; does not start with '{' or '[', c=34
java.lang.IllegalArgumentException: Input is invalid JSON; does not start with '{' or '[', c=34
at org.parosproxy.paros.core.scanner.VariantJSONQuery.parseObject(VariantJSONQuery.java:139) ~[zap-2.16.1.jar:2.16.1]
at org.parosproxy.paros.core.scanner.VariantJSONQuery.parseContent(VariantJSONQuery.java:89) ~[zap-2.16.1.jar:2.16.1]
at org.parosproxy.paros.core.scanner.VariantAbstractRPCQuery.setRequestContent(VariantAbstractRPCQuery.java:148) ~[zap-2.16.1.jar:2.16.1]
at org.parosproxy.paros.core.scanner.VariantAbstractRPCQuery.setMessage(VariantAbstractRPCQuery.java:60) [zap-2.16.1.jar:2.16.1]
at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scan(AbstractAppParamPlugin.java:91) [zap-2.16.1.jar:2.16.1]
at org.parosproxy.paros.core.scanner.AbstractPlugin.run(AbstractPlugin.java:391) [zap-2.16.1.jar:2.16.1]
at java.base/java.lang.Thread.run(Thread.java:840) [?:?]

I found no errors in our OpenAPI schemas. Does ZAP know how to send an array in the body, or is this a bug in ZAP?

[Simon Bennetts]

Unfortunately that example doesnt work because it is too cut down, even if I provide the correct wrapper.

I've just asked ChatGPT to generate a test case for me, and ZAP seemed to handle it fine.

Can you try with the latest version of the OpenAPI add-on - we released that yesterday and it has support for a load of 3.1 features.

If it still doesnt work for you can you create a simple but complete example which fails?

LLMs seem to be good at doing that, so just try different prompts :)

Cheers,

Simon