excludePaths in yaml file does not seem to be working for me
231 views
Skip to first unread message
Richard DAmelio
Sep 21, 2022, 7:45:56 PM9/21/22
to OWASP ZAP User Group
So I have the openapi job in my yaml file that reads a json.
In my log I see the job started: Job openapi started
Then it scans all the endpoints and I have an issue with one:
I removed the IP for this post
Job openapi target: https://0.000.000.000:443 error: attribute paths.'/services/{service_name}/{action}'. Declared path parameter service_name needs to be defined as a path parameter in path or operation level
I also have the following in the log:
18:15:13 Adding token to request url=https://0.000.000.000:443/api/com.ibm.zaas/services/%7Bservice_name%7D/%7Baction%7D
18:15:13 Authorization: None
18:15:13 responseReceived called for url=https://0.000.000.000:443/api/com.ibm.zaas/services/%7Bservice_name%7D/%7Baction%7D
So I'm guessing I want to exclude this path: "https://0.000.000.000:443/api/com.ibm.zaas/services/service_name/action"
I tried several scenarios but can't get it working.
Any ides?
excludePaths:
#- ".*/services/.service_name./.action.*"
#- "https://0.000.000.000:443/api/com.ibm.zaas/services/service_name/action"
#- "https://0.000.000.000:443/api/com.ibm.zaas/services/\Q{service_name}/{action}\E"
#- "https://0.000.000.000:443/api/com.ibm.zaas/services/\Q%7Bservice_name%7D\E.*"
- "https://0.000.000.000:443/api/com.ibm.zaas/services/%7Bservice_name%7D.*"
- "https://0.000.000.000:443/api/com.ibm.zaas/services/%7Bservice_name%7D/%7Baction%7D.*"
Richard DAmelio
Sep 23, 2022, 8:12:32 AM9/23/22
to OWASP ZAP User Group
No thoughts Simon?
kingthorin+owaspzap
Sep 23, 2022, 11:39:28 AM9/23/22
to OWASP ZAP User Group
Why not correct your OpenAPI definition?
Richard DAmelio
Sep 23, 2022, 12:15:12 PM9/23/22
to OWASP ZAP User Group
I don't have control over the OpenAPI spec but I can bring it up to the dev team.
But shouldn't excludePaths work here?
I've tried several scenarios and none work.
excludePaths: # An optional list of regexes to exclude
#- ".*/services/.service_name./.action.*"
#- "https://####/api/com.ibm.zaas/services/service_name/action"
#- "https://####/api/com.ibm.zaas/services/\Q{service_name}/{action}\E"
#- "https://####/api/com.ibm.zaas/services/\Q%7Bservice_name%7D\E.*"
#- "https://####/api/com.ibm.zaas/services.*"
- "https://####/api/com.ibm.zaas/services*"
#- "*api/com.ibm.zaas/servicesapi/com.ibm.zaas/services.*"
#- "*api/com.ibm.zaas/servicesapi/com.ibm.zaas/services*"
#- "https://####/api/com.ibm.zaas/services/%7Bservice_name%7D.*"
#- "https://####/api/com.ibm.zaas/services/%7Bservice_name%7D/%7Baction%7D.*"
In the gui it shows the following when I exclude it from the scanner and I've tried adding this to my yaml.
But shouldn't excludePaths work here?
I've tried several scenarios and none work.
excludePaths: # An optional list of regexes to exclude
#- ".*/services/.service_name./.action.*"
#- "https://####/api/com.ibm.zaas/services/service_name/action"
#- "https://####/api/com.ibm.zaas/services/\Q{service_name}/{action}\E"
#- "https://####/api/com.ibm.zaas/services/\Q%7Bservice_name%7D\E.*"
#- "https://####/api/com.ibm.zaas/services.*"
- "https://####/api/com.ibm.zaas/services*"
#- "*api/com.ibm.zaas/servicesapi/com.ibm.zaas/services.*"
#- "*api/com.ibm.zaas/servicesapi/com.ibm.zaas/services*"
#- "https://####/api/com.ibm.zaas/services/%7Bservice_name%7D.*"
#- "https://####/api/com.ibm.zaas/services/%7Bservice_name%7D/%7Baction%7D.*"
In the gui it shows the following when I exclude it from the scanner and I've tried adding this to my yaml.
kingthorin+owaspzap
Sep 23, 2022, 6:34:15 PM9/23/22
to OWASP ZAP User Group
Yes it should, you probably need to exclude it from all not just the scanner.
Reply all
Reply to author
Forward
0 new messages