ZAP API Scan fails to parse swagger definition

[Edmore Tshuma]

I have .NET 5 API that I am running a ZAP API scan against .

When I run this command from Windows 10 it works perfect and the report is generated - for this first use-case I have the API hosted in IIS on Windows Server 2016 :

docker run -v "$(pwd):/zap/wrk/:rw" -t owasp/zap2docker-weekly zap-api-scan.py -t http://10.XXX.XXX.XXX:8002/account?field4=4488082040118"&"field7=GENERIC01"&"field10=ABC076 -f openapi -r C:\Users\tshumaed\Documents\DEPLOYS\ZAP_Report.htm 

My error occurs when I switch to Linux . I have hosted the API on a k0s cluster on Debian 10 Buster and run the command as:  

docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-weekly zap-api-scan.py -t http://10.XXX.XXX.XXX:32518/account?field4=4488082040118"&"field7=GENERIC01"&"field10=DCF43 -f openapi -r ~/home/golide/Projects/ZAP_REPORT.htm

The command gives an error: 

 12575 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive Scan Rules

12575 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Ajax Spider Automation Framework Integration 12579 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Handles all of the calls to ZAP services 12801 [ZAP-daemon] INFO org.zaproxy.addon.oast.services.callback.CallbackService - Started callback service on 0.0.0.0:42279 12811 [ZAP-daemon] INFO org.zaproxy.addon.network.ExtensionNetwork - Creating new root CA certificate. 14810 [ZAP-daemon] INFO org.zaproxy.addon.network.ExtensionNetwork - New root CA certificate created. 17862 [ZAP-daemon] INFO org.parosproxy.paros.CommandLine - Add-on update check complete 17866 [ZAP-daemon] INFO org.parosproxy.paros.CommandLine - Add-on already installed: /zap/./plugin/pscanrulesBeta-beta-29.zap 17868 [ZAP-daemon] INFO org.zaproxy.zap.DaemonBootstrap - ZAP is now listening on 0.0.0.0:47455 22574 [ZAP-Import-OpenAPI-1] WARN org.zaproxy.zap.extension.openapi.ExtensionOpenApi - Failed to parse OpenAPI definition. org.zaproxy.zap.extension.openapi.converter.swagger.SwaggerException: Failed to parse swagger defn null 22575 [ZAP-Import-OpenAPI-1] WARN org.zaproxy.zap.extension.openapi.ExtensionOpenApi - Failed to parse swagger defn null org.zaproxy.zap.extension.openapi.converter.swagger.SwaggerException: Failed to parse swagger defn null at org.zaproxy.zap.extension.openapi.converter.swagger.SwaggerConverter.readOpenAPISpec(SwaggerConverter.java:200) ~[openapi-beta-26.zap:?] at org.zaproxy.zap.extension.openapi.converter.swagger.SwaggerConverter.getRequestModels(SwaggerConverter.java:184) ~[openapi-beta-26.zap:?] at org.zaproxy.zap.extension.openapi.ExtensionOpenApi$1.run(ExtensionOpenApi.java:365) [openapi-beta-26.zap:?] 22655 [ZAP-ProxyThread-10] INFO org.parosproxy.paros.core.scanner.Scanner - scanner started 23400 [Thread-6] INFO org.parosproxy.paros.core.scanner.HostProcess - Scanning 2 node(s) from http://10.170.8.204:32518 23403 [Thread-6] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://10.170.8.204:32518 | RemoteFileIncludeScanRule strength MEDIUM threshold MEDIUM

What am I missing ?

[Simon Bennetts]

Initial thought - have you escaped the URL correctly?

In your message you've used the URL: http://10.XXX.XXX.XXX:32518/account?field4=4488082040118"&"field7=GENERIC01"&"field10=DCF43

'&' is used on linux to run commands in the background - that could well be causing you problems.

Try surrounding the whole url with single quotes.

Also, do you really need the double quotes in the URL?

That doesnt look right to me either - I would try removing them as well.

Cheers,

Simon

[kingthorin+owaspzap]

Also as already discussed in the issue you had opened what makes you think the win/IIS behavior was any different? And, is a definition actually returned from the URL you're providing?