Help scanning API based on JSON-RPC

[Skye Turriff]

I am trying to use ZAP to scan an API based on JSON-RPC. The issue I am having is with some nodes appearing to be overwritten within the Site Tree. This prevents the rpc action methods associated with these node from being hit by the Active Scan, as at the time of running the Active Scan, they no longer exist in the Site Tree.

For example, the following POST request appears as a node in the site tree:

But then as I explore the site and perform other actions, this node gets overwritten by, for example:

Some nodes never get overwritten. For example, this, among others, always remains in the Site Tree:

When I look through the History tab, I can see all the request with the different jsonrpc objects in the request body. When I right click on an entry in History and select "Show in Sites tab", it auto-selects the node that has been overwritten.

When running an Active Scan, ZAP appears to have no problem manipulating the jsonrpc object and injecting things into any of its members. For example, it will generate request objects like this no problem:

But it will miss hitting any of the rpc actions that were overwritten in the Site Tree, like the web.Make example above.

Is this normal behaviour or have I configured something incorrectly?

My Input Vectors for Active Scan:

Thanks in advance!

Skye

[kingthorin+owaspzap]

Looks like you need to create a custom Sites Tree Modifier https://www.zaproxy.org/blog/2020-09-22-sites-tree-modifiers/

https://www.zaproxy.org/blog/2021-03-29-zap-2-10-0-features/#site-tree-control

[Skye Turriff]

I've been looking into what you suggested, and it seems I will need a custom Script Input Vector that will tell ZAP how to represent requests in the Site Tree and properly recognize the JSON-RPC object in the request body.

I got the Community Scripts and other add-ons set up, and it seems like the 'Site modifying JSON example.js' template could be a good starting point, but I have a few questions about it.

Do you know of any resources or knowledge base that goes a little bit more in-depth about the objects and functions in this script? (i.e. it looks like it's all based off of an implementation of org.parosproxy.paros.core.scanner.Variant, but where do the parseParameters(...) and setParameter(...) functions come from? What type is the 'helper' parameter used by these methods - Is it org.parosproxy.paros.core.scanner.VariantCustom? What is it used for/represent? It seems like this is the key to manipulating the Site Tree as needed. I've also noticed there's a org.parosproxy.paros.core.scanner.VariantAbstractRPCQuery, but the javadoc are a little sparse so I'm not too sure if this would be useful to me or not).

If the answer is no, that's totally fine :D just thought it was worth the ask before I continued my safari hunt and pulled out too much of my hair. I have been able to find some deeper stuff on Stand Alone and Active Scanner scripts, but no such luck for Input Variants yet!

Thanks again!

[kingthorin+owaspzap]

The SOAP and GraphQL add-ons use that functionality and bundle their own scripts, they might help you as examples.

https://github.com/zaproxy/zap-extensions/blob/main/addOns/soap/src/main/zapHomeFiles/scripts/scripts/variant/SOAP%20Support.js

https://github.com/zaproxy/zap-extensions/blob/main/addOns/graphql/src/main/zapHomeFiles/scripts/scripts/variant/GraphQL%20Support.js