How to define values for the path params from OpenAPI file

300 views
Skip to first unread message

Sebastian Kustosz

unread,
Jan 25, 2023, 10:34:39 AM1/25/23
to OWASP ZAP User Group
Hello everyone,

I'm trying to use zap api scan but have problem with defining values for the params that are in the endpoints path e.g.:

endpoint in my OpenAPI spec is:
.../users/{user-group}/building/{building-name}/room/{room-id}

all my endpoints starts with "/users/{user-group}/..." Actually 95% of what I want to scan are paths after this. If I don't define correct (existing in my system) {user-group} scan doesn't make any sense. The urls in the report are like this:
<host>/users/user-group/building/building-name/room/room-id
etc

Could someone guide me how can I achieve this? I spent a lot of time searching for it but couldn't find any information.

thanks,
Seb

jijesh vu

unread,
Jan 25, 2023, 11:02:12 AM1/25/23
to OWASP ZAP User Group
Hey,

create a postman export json of your api and convert to openapi using https://www.npmjs.com/package/postman-to-openapi

kingthorin+owaspzap

unread,
Jan 25, 2023, 11:10:57 AM1/25/23
to OWASP ZAP User Group
https://swagger.io/docs/specification/describing-parameters/

Sebastian Kustosz

unread,
Jan 25, 2023, 11:31:23 AM1/25/23
to OWASP ZAP User Group
Thanks for the response but I don't want to hardcode real values in a swagger file definition. I want to automate it in the ppeline so I just want to run docker image and provide path to the openAPI spec as a variable. This path would be a direct path do OpenAPI spec in the repo.

Is there a way to do it? I work on a large platform with ~50 OpenAPI spec files so I need to automate this process, manual work of changing every single swagger is not an option here.

@kingthorin+owaspzap
I would be glad for at least a word of comment. Link to Swagger docs is neither help neither an answer.

ricekot

unread,
Jan 28, 2023, 11:34:11 PM1/28/23
to OWASP ZAP User Group
Hello,

Here are the options you have:
  • The openapi add-on uses examples from the spec (if specified) to populate endpoint parameters. You could add examples to your spec.
  • You could use the form-handler add-on.  For example, if you add "administrators" as a value for "user-group" in the form-handler add-on, and then import a schema with a context specified (for marking Data Driven Nodes), the imported URLs should start with /users/adminstrators/...
Best regards,
Akshath
Reply all
Reply to author
Forward
0 new messages