Zap Error: 'Alert on Unexpected Content Types' script
168 views
Skip to first unread message
Maxim Voronetski
Oct 10, 2024, 5:08:32 AMOct 10
to ZAP User Group
Hello
Is there a way to edit the URL list that is parsed by the script?
The thing is, that it thinks that URLs like:
{site}/latest/meta-data/
{site}/swagger/
{site}/swagger/index.html
{site}/swagger/
{site}/swagger/index.html
{site}/graphql/
Should return "application/json" content-type, as if they were API endpoints, not simple html pages with "text/html" content-type
And I can't think of a way to fix it
Thanks
Simon Bennetts
Oct 10, 2024, 9:55:23 AMOct 10
to ZAP User Group
Hiya,
How are you exploring your app?
Thats how ZAP builds up the list of URLs to check.
Cheers,
Simon
kingthorin+zap
Oct 10, 2024, 1:25:33 PMOct 10
to ZAP User Group
There isn't exclusions per rule, however you could create an Alert Filter to address them before the report is generated.
Maxim Voronetski
Oct 14, 2024, 5:42:49 AMOct 14
to ZAP User Group
zap-stable zap-api-scan.py -t ${{Parameters.owaspUrl}} -f openapi
where ${{Parameters.owaspUrl}} is site address
четверг, 10 октября 2024 г. в 15:55:23 UTC+2, psi...@gmail.com:
Simon Bennetts
Oct 17, 2024, 4:38:02 AMOct 17
to ZAP User Group
This implies that your OpenAPI spec includes HTML endpoints.
Can you confirm that?
If so, can you remove them from the spec?
If not we can look at the existing options to exclude them.
Cheers,
Simon
Maxim Voronetski
Oct 17, 2024, 11:55:35 AMOct 17
to zaprox...@googlegroups.com
How can I confirm it?
From what I know - we don't have any html endpoints, only swagger for endpoint testing.
Plus, how can I exclude the urls if I know them?
--
ZAP by Checkmarx: https://www.zaproxy.org/
---
You received this message because you are subscribed to the Google Groups "ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/a58786a6-d40c-4ad0-981d-6b277544af00n%40googlegroups.com.
Maxim Voronetski
Oct 17, 2024, 4:10:38 PMOct 17
to ZAP User Group
I don't understand, how does it scan for the endpoints having only site address
четверг, 17 октября 2024 г. в 17:55:35 UTC+2, Maxim Voronetski:
Simon Bennetts
Oct 23, 2024, 12:46:48 PMOct 23
to ZAP User Group
ZAP doesnt only have the site address.
It has the definition of the OpenAPI spec - you are passing that URL into ZAP, right?
Maxim Voronetski
Oct 28, 2024, 11:26:33 AMOct 28
to ZAP User Group
Yes,
.../swagger/index.html
.../swagger/index.html
and
.../graphql/
and the problem is - he thinks that those are also APi endpoints
среда, 23 октября 2024 г. в 18:46:48 UTC+2, psi...@gmail.com:
kingthorin+zap
Oct 28, 2024, 12:34:11 PMOct 28
to ZAP User Group
.../swagger/index.html
Isn't a spec URL, it's an html page as it says.
Maxim Voronetski
Oct 29, 2024, 4:59:04 AMOct 29
to ZAP User Group
yes, we feed those 2 pages to ZAP and get reports, with errors that pages like:
.../swagger/
.../swagger/
.../swagger/index.html
have unexpected content-type
have unexpected content-type
понедельник, 28 октября 2024 г. в 17:34:11 UTC+1, kingthorin+zap:
Simon Bennetts
Oct 29, 2024, 5:39:54 AMOct 29
to ZAP User Group
The ZAP API packaged scan supports OpenAPI, SOAP, and GraphQL.
You are supplying an HTML page, that will not work.
If you don't have a supported API spec then use one of the other options for exploring your app: https://www.zaproxy.org/docs/getting-further/automation/exploring-your-app/
Cheers,
Simon
Maxim Voronetski
Oct 29, 2024, 6:32:37 AMOct 29
to ZAP User Group
Look, I just have two pages:
https://{site}/swagger/index.html
https://{site}/graphql/
That I pass as parameter Parameters.owaspUrl into:
docker run -e ZAP_AUTH_HEADER_VALUE="Bearer $(owasp-token)" --rm --user root -v $(pwd):/zap/wrk/:rw -t softwaresecurityproject/zap-stable zap-api-scan.py -t ${{Parameters.owaspUrl}} -f openapi -r ${{Parameters.owaspReport}} -I
And then I have my two reports, which have, amongst others, those errors:
A Content-Type of text/html was returned by the server.
This is not one of the types expected to be returned by an API.
Raised by the 'Alert on Unexpected Content Types' script And all I want to know, if there's a way to fix or supress those
вторник, 29 октября 2024 г. в 10:39:54 UTC+1, psi...@gmail.com:
Maxim Voronetski
Oct 29, 2024, 6:34:07 AMOct 29
to ZAP User Group
Should I just pass swagger.json instead of ..
/swagger/index.html ?
вторник, 29 октября 2024 г. в 11:32:37 UTC+1, Maxim Voronetski:
Maxim Voronetski
Oct 29, 2024, 6:53:54 AMOct 29
to ZAP User Group
passing swagger.json didn't solve existing problems and added some new ones...
вторник, 29 октября 2024 г. в 11:34:07 UTC+1, Maxim Voronetski:
Simon Bennetts
Oct 29, 2024, 6:55:13 AMOct 29
to ZAP User Group
Yes, you need to pass in the swagger.json file / URL.
You will need to tell us what problems you are seeing, we are not telepathic :)
Maxim Voronetski
Oct 29, 2024, 7:03:31 AMOct 29
to ZAP User Group
New errors:
- This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page.
- The response appeared to contain common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages.
But I can, probably, handle those. The problem is that the error:
- A Content-Type of text/html was returned by the server. This is not one of the types expected to be returned by an API. Raised by the 'Alert on Unexpected Content Types' script
didn't go away
вторник, 29 октября 2024 г. в 11:55:13 UTC+1, psi...@gmail.com:
Simon Bennetts
Oct 30, 2024, 8:57:43 AMOct 30
to ZAP User Group
For the "Content-Type of text/html" issues, look at the URLs its raised against.
Are those URLs references in the swagger.json file?
Maxim Voronetski
Oct 30, 2024, 10:12:55 AMOct 30
to ZAP User Group
Simon Bennetts
Oct 31, 2024, 7:03:54 AMOct 31
to ZAP User Group
Can you give us sanitised versions of what they are?
You'll need to give us something to work with...
Maxim Voronetski
Nov 13, 2024, 5:34:34 AM (8 days ago) Nov 13
to ZAP User Group
I believe, I gave those already, but ok:
https://.../latest/meta-data/
https://.../swagger/
https://.../swagger/index.html
https://.../swagger/index.html?class.module.classLoader.DefaultAssertionStatus=nonsense
https://.../swagger?class.module.classLoader.DefaultAssertionStatus=nonsense
https://.../latest/meta-data/
https://.../swagger/
https://.../swagger/index.html
https://.../swagger/index.html?class.module.classLoader.DefaultAssertionStatus=nonsense
https://.../swagger?class.module.classLoader.DefaultAssertionStatus=nonsense
четверг, 31 октября 2024 г. в 12:03:54 UTC+1, psi...@gmail.com:
Simon Bennetts
Nov 13, 2024, 8:43:10 AM (8 days ago) Nov 13
to ZAP User Group
Ah, OK.
Those requests are being made by some of the active scan rules.
Right now you would need to either ignore those specific findings or disable those rules.
Cheers,
Simon
Maxim Voronetski
Nov 13, 2024, 9:14:21 AM (8 days ago) Nov 13
to ZAP User Group
Simon Bennetts
Nov 14, 2024, 6:49:56 AM (7 days ago) Nov 14
to ZAP User Group
I searched the source code - it will all be in https://github.com/zaproxy/zap-extensions
The rules I spotted that definitely make thse requests:
- Cloud Metadata Potentially Exposed (/latest/meta-data/)
- Spring4Shell (the "DefaultAssertionStatus=nonsense" ones)
I'm not sure offhand about the other 2, it is possible that they will always be accessed?
Cheers,
Simon
Maxim Voronetski
Nov 18, 2024, 5:52:41 AM (3 days ago) Nov 18
to ZAP User Group
Sorry, how can I disable those when launching ZAP scan via CLI?
четверг, 14 ноября 2024 г. в 12:49:56 UTC+1, psi...@gmail.com:
Reply all
Reply to author
Forward
0 new messages