Zap Error: 'Alert on Unexpected Content Types' script

Maxim Voronetski

unread,

Oct 10, 2024, 5:08:32 AMOct 10

to ZAP User Group

Hello

Is there a way to edit the URL list that is parsed by the script?

The thing is, that it thinks that URLs like:

{site}/latest/meta-data/
{site}/swagger/
{site}/swagger/index.html

{site}/graphql/

Should return "application/json" content-type, as if they were API endpoints, not simple html pages with "text/html" content-type

And I can't think of a way to fix it

Thanks

Simon Bennetts

unread,

Oct 10, 2024, 9:55:23 AMOct 10

to ZAP User Group

Hiya,

How are you exploring your app?

Thats how ZAP builds up the list of URLs to check.

Cheers,

Simon

kingthorin+zap

unread,

Oct 10, 2024, 1:25:33 PMOct 10

to ZAP User Group

There isn't exclusions per rule, however you could create an Alert Filter to address them before the report is generated.

https://www.zaproxy.org/docs/desktop/addons/alert-filters/

Maxim Voronetski

unread,

Oct 14, 2024, 5:42:49 AM (14 days ago) Oct 14

to ZAP User Group

zap-stable zap-api-scan.py -t ${{Parameters.owaspUrl}} -f openapi

where ${{Parameters.owaspUrl}} is site address

четверг, 10 октября 2024 г. в 15:55:23 UTC+2, psi...@gmail.com:

Simon Bennetts

unread,

Oct 17, 2024, 4:38:02 AM (11 days ago) Oct 17

to ZAP User Group

This implies that your OpenAPI spec includes HTML endpoints.

Can you confirm that?

If so, can you remove them from the spec?

If not we can look at the existing options to exclude them.

Cheers,

Simon

Maxim Voronetski

unread,

Oct 17, 2024, 11:55:35 AM (11 days ago) Oct 17

to zaprox...@googlegroups.com

How can I confirm it?
From what I know - we don't have any html endpoints, only swagger for endpoint testing.
Plus, how can I exclude the urls if I know them?

--
ZAP by Checkmarx: https://www.zaproxy.org/
---
You received this message because you are subscribed to the Google Groups "ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/a58786a6-d40c-4ad0-981d-6b277544af00n%40googlegroups.com.

Maxim Voronetski

unread,

Oct 17, 2024, 4:10:38 PM (11 days ago) Oct 17

to ZAP User Group

I don't understand, how does it scan for the endpoints having only site address

четверг, 17 октября 2024 г. в 17:55:35 UTC+2, Maxim Voronetski:

Simon Bennetts

unread,

Oct 23, 2024, 12:46:48 PM (5 days ago) Oct 23

to ZAP User Group

ZAP doesnt only have the site address.

It has the definition of the OpenAPI spec - you are passing that URL into ZAP, right?

Reply all

Reply to author

Forward