params to post methods in openapi scan
46 views
Skip to first unread message
Julia Khanbekova
Dec 8, 2024, 6:05:02 AM (14 days ago) Dec 8
to ZAP User Group
Hi, Simon!
I run the following scan:
1. First, I import all addresses using the openapi scan type from openapi.json
2. Then I run an active scan for the imported addresses
The service for which I run scan also has post methods. For example, the method for creating a project (create_project). The method takes the project name as input. After the active scan, several projects with strange names are created in my service (ZAP, c/:, ../../../../).
There are two questions from this:
1. I would like to understand why this happens and how zap chooses which parameters to submit to post methods?
2. Why are parameters not submitted for other post methods and requests are not sent, only in the create_project method.
I run the following scan:
1. First, I import all addresses using the openapi scan type from openapi.json
2. Then I run an active scan for the imported addresses
The service for which I run scan also has post methods. For example, the method for creating a project (create_project). The method takes the project name as input. After the active scan, several projects with strange names are created in my service (ZAP, c/:, ../../../../).
There are two questions from this:
1. I would like to understand why this happens and how zap chooses which parameters to submit to post methods?
2. Why are parameters not submitted for other post methods and requests are not sent, only in the create_project method.
Simon Bennetts
Dec 11, 2024, 5:14:45 AM (11 days ago) Dec 11
to ZAP User Group
Hiya,
ZAP scan rules send payloads to parameters in order to find potential vulnerabilities.
The payloads you mentioned look like path traversal attacks.
There are _lots_ of "parameters" that ZAP could attack (we call them input vectors), so we make it possible for you to choose which ones it will attack.
ZAP will attack all of the input vectors. Chances are that your other forms are filtering out "bad" input which is why you are not seeing it reflected in your app.
Cheers,
Simon
Julia Khanbekova
Dec 16, 2024, 12:48:14 PM (5 days ago) Dec 16
to ZAP User Group
Thanks for the answer!
How can i disable path traversal attacks?
How can i disable path traversal attacks?
kingthorin+zap
Dec 16, 2024, 1:29:30 PM (5 days ago) Dec 16
to ZAP User Group
Reply all
Reply to author
Forward
0 new messages