How to use zap-api-scan.py to scan only certain paths from the context

[Adrian M]

Hello,

Currently, the  zap-api-scan.py script takes as a parameter the Context file and works fine for scanning the whole OpenApi specification.

There are however cases, in which the OpenApi spec is quite large, with a lot of fields/parameters in request bodies which can have different values, so using the Form Handler to set those values will result in malformed JSON body for some of the requests.

Considering this, there is a need to either:

1. be able to set different values for the same field names with Form Handler

2. be able to scan just the paths which are configured in the context file

Not sure if the first option is possible, but for the second one, there is a need to take into account the Included/Excluded from context (the incregexes/excregexes XML element from the context).

When trying to execute a scan using the zap-api-scan on a OpenApi specification, by providing a context file, which has inside an included path as a regex, the zap_active_scan method from zap_common.py (which is calling in turn the zap.ascan.scan_as_user method) returns a url_not_in_context ApiException.

As soon as the incregexes from context is something different than host.* (i.e. host/.*), the zap_active_scan complains that the URL is not in context.

I have different variations of the regex (with escaping special characters) and also tried valid ones from the ZAP UI, which work perfectly there when selecting a certain path from the left side site tree.

The question is: is it possible to perform a targeted scan of certain OpenApi paths only, as opposed to the whole host/target? (again see the zap_active_scan method from zap_common.py).

If the answer is positive, can anyone provide an example?

If not, is there any other ways of getting around this limitation? - like solution 1 above, in which different values could be specified in Form Handler for different requests?

Thanks,

Adrian

[Adrian M]

I did find a workaround to be able to scan only certain path(s) from an OpenApi specification and exclude the others(not sure if the best though).

By setting the globalexcludeurl in the property file and using a regex to exclude everything but the path/URL that needs to be scan.

Example:

globalexcludeurl.url_list.url(0).regex=^((?!OpenApi_Path).)*$

Using this workaround will greatly reduce the time and focus mainly on the desired path ( OpenApi_Path above) 

[Simon Bennetts]

Yes, thats a good workaround. Thanks for letting us know.