Groups keyboard shortcuts have been updated
Dismiss
See shortcuts
GraphQL API Scan, OK response with error in body
19 views
Skip to first unread message
laurynas freimanas
Mar 4, 2025, 6:12:28 AMMar 4
to ZAP User Group
I have setup a scan using a graphql schema which appears to be working correctly however as all errors are handled by returning an object within the response, all attacks result in an 200 response code.
This makes any potential issues hard to uncover without looking through all the responses.
Is there a way to filter and flag specific requests that were made based on there being errors within the response?
Response content examples:
The below I'd want to raise an alert.
{"errors":[{"message":"Unexpected Execution Error"...}]
This makes any potential issues hard to uncover without looking through all the responses.
Is there a way to filter and flag specific requests that were made based on there being errors within the response?
Response content examples:
The below I'd want to raise an alert.
{"errors":[{"message":"Unexpected Execution Error"...}]
While this is an expected and valid error.
{"errors":[{"message":"The required input field `id` is missing."...}]
{"errors":[{"message":"The required input field `id` is missing."...}]
Simon Bennetts
Mar 4, 2025, 7:40:03 AMMar 4
to ZAP User Group
Hiya,
The easiest option it to do these checks via a script.
In this case it would not be an active or passive scan script as we really want to check the responses to the existing scan rule attacks.
So instead you should create an httpsender script which checks all responses.
We have an example here: https://github.com/zaproxy/community-scripts/blob/main/httpsender/Alert%20on%20HTTP%20Response%20Code%20Errors.js
You will want to change it to check for the relevant error messages instead of checking the status code.
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages