ZAP Scans not work for URL which have special chars (Because of URL Encoding)
149 views
Skip to first unread message
Rohit Kumar
Jul 26, 2022, 3:26:18 AM7/26/22
to OWASP ZAP User Group
We'd a use case where swagger.json url contains a special character "[" and "]" and because of this zap is trying to url encoding since it's passing it to ZAP API.
And ZAP sends request to that encoded url and ZAP gets 404 in that case. Have a look at below example
Inside ZAP Docker it becomes - http://zap/JSON/openapi/action/importUrl/?url=https%3A%2F%2Fgateway.alumni-services-002.com%2Fv2%2Fapi-docs%3Fgroup%3D%5BPublic%5D%2520API%2520Gateway&apikey=&hostOverride=
Because of this issue, scans aren't proper, in above scenario. Character "[" is getting converted to %5B and that kind of URL returns 404
Can we do something here, apart from asking client to changes on their end?
thc...@gmail.com
Jul 26, 2022, 3:36:18 AM7/26/22
to zaprox...@googlegroups.com
Hi.
That shows the URL encoded while being sent, ZAP will decode the query
parameters before use.
I'd suggest checking the zap.log for errors.
Best regards.
That shows the URL encoded while being sent, ZAP will decode the query
parameters before use.
I'd suggest checking the zap.log for errors.
Best regards.
thc...@gmail.com
Jul 26, 2022, 3:58:15 AM7/26/22
to zaprox...@googlegroups.com
Said that, ZAP will encode those characters when sending the request
which probably shouldn't.
Best regards.
which probably shouldn't.
Best regards.
Rohit Kumar
Jul 28, 2022, 3:48:21 AM7/28/22
to OWASP ZAP User Group
Hi All,
It seems there is something wrong within ZAP, can someone please help me here. I'm attaching all logs / screenshots of whatever kind of testing i did. I Initiated scan for https://gateway.alumni-services-002.com/v2/api-docs?group=[Public]%20API%20Gateway using ZAP docker api scan and then from ZAP UI, in both cases it's not working for me.
I'm attaching zap.log from (zap Docker api scan)
After this i launched a browser from ZAP UI, then i pasted https://gateway.alumni-services-002.com/v2/api-docs?group=[Public]%20API%20Gateway In browser so that ZAP can intercept it, and i tried to start Automated scan, but in ZAP UI you can see URL is not complete because of that special character.
In above image you can see URL is not complete all contents after = symbol is missing.
Can someone please look into this, i'm not sure whats going on here. Looks like zap issue.
Reply all
Reply to author
Forward
0 new messages