OpenAPI Behaviour Inquiry: Importing "/" path
42 views
Skip to first unread message
Rahul Pavithran
Oct 28, 2025, 8:09:50 AM (11 days ago) Oct 28
to ZAP User Group
I use ZAP for API scanning as part of my occupation. I have some openAPI files that sometimes do not have all its path endpoints added to the context URL on OpenAPI file import (json format).
I noticed that for the files in these cases, "/" path do not get added to the Context URL list, although they are included by generalized regex in the Context. I wanted to inquire if this is the expected behavior.
Versions:
ZAP - 2.16.0
OpenAPI Version - 44
JAVA - OpenJDK 17.0.15
OS - Windows 11 / Amazon Linux 2 (custom docker)
Context URLs imported by ZAP from below file:
['http://localhost:8000/api/v1/health', 'http://localhost:8000/api/v1/items', 'http://localhost:8000/api/v1/items/10?q=q', 'http://localhost:8000/api/v1/subpath']
['http://localhost:8000/api/v1/health', 'http://localhost:8000/api/v1/items', 'http://localhost:8000/api/v1/items/10?q=q', 'http://localhost:8000/api/v1/subpath']
Missing: http://localhost:8000/api/v1/
Example File:
```
{
"openapi": "3.0.1",
"info": {
"title": "Demo Server API",
"version": "1.0.0",
"description": "OpenAPI specification generated from the FastAPI routes in `hello.py`.\n\nRoutes:\n- GET / -> returns a simple Hello World JSON.\n- GET /items/{item_id} -> returns the item id and optional query parameter `q`."
},
"servers": [
{
"description": "Local development server"
}
],
"paths": {
"/": {
"get": {
"summary": "Root endpoint 1",
"operationId": "read_root",
"responses": {
"200": {
"description": "Successful Response",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"Hello": {
"type": "string",
"example": "World"
}
},
"required": ["Hello"]
}
}
}
}
}
}
},
"/{subpath}": {
"get": {
"summary": "Root endpoint 1",
"operationId": "read_root_subpath",
"parameters": [
{
"name": "subpath",
"in": "path",
"required": true,
"schema": {
"type": "string"
},
"description": "Subpath to health check"
}
],
"responses": {
"200": {
"description": "Successful Response",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"Hello": {
"type": "string",
"example": "World"
}
},
"required": ["Hello"]
}
}
}
}
}
}
},
"/health": {
"get": {
"summary": "Root endpoint 2",
"operationId": "read_root_health",
"responses": {
"200": {
"description": "Successful Response",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"Hello": {
"type": "string",
"example": "World"
}
},
"required": ["Hello"]
}
}
}
}
}
}
},
"/items/{item_id}": {
"get": {
"summary": "Get an item by id",
"operationId": "read_item",
"parameters": [
{
"name": "item_id",
"in": "path",
"required": true,
"schema": {
"type": "integer",
"format": "int32"
},
"description": "Numeric ID of the item to get"
},
{
"name": "q",
"in": "query",
"required": false,
"schema": {
"type": "string"
},
"description": "Optional query string"
}
],
"responses": {
"200": {
"description": "Successful Response",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"item_id": {
"type": "integer",
"format": "int32",
"example": 42
},
"q": {
"type": "string",
"nullable": true,
"example": "search"
}
},
"required": ["item_id"]
}
}
}
},
"404": {
"description": "Item not found"
}
}
}
}
},
"components": {}
}
```
thc202
Oct 28, 2025, 3:04:04 PM (11 days ago) Oct 28
to zaprox...@googlegroups.com
Hi,
What's the regex?
Best regards.
What's the regex?
Best regards.
Rahul Pavithran
Oct 28, 2025, 7:43:19 PM (10 days ago) Oct 28
to ZAP User Group
Hi @thc202,
The regex added by the import to the Context comes up as follows:
Just to clear up, I haven't added any additional regexs apart from what's generated by the import functionality itself. These do cover all the paths available in the example openAPI definition.
thc202
Oct 29, 2025, 4:29:35 AM (10 days ago) Oct 29
to zaprox...@googlegroups.com
I think I misunderstood your question, how are you checking which URLs
were imported?
I see following requests after importing the shared definition (port
changed).
GET http://localhost:9000/api/v1/
GET http://localhost:9000/api/v1/subpath
GET http://localhost:9000/api/v1/health
GET http://localhost:9000/api/v1/items/10?q=q
Best regards.
were imported?
I see following requests after importing the shared definition (port
changed).
GET http://localhost:9000/api/v1/
GET http://localhost:9000/api/v1/subpath
GET http://localhost:9000/api/v1/health
GET http://localhost:9000/api/v1/items/10?q=q
Best regards.
Rahul Pavithran
Oct 29, 2025, 8:58:02 AM (10 days ago) Oct 29
to ZAP User Group
Oh yes, I only mentioned the regex because I see the root path does reflect in the includeregex list.
I am pulling the list of context urls from ZAP using context/view/urls API.
To be more specific, I am using the zap.context.urls(contextname=contextname) method from the zaproxy python SDK.
From the urls fetched from the context, i notice the URL corresponding to the openapi path "/" does not reflect in the context urls list.
Reply all
Reply to author
Forward
0 new messages