Zap Error: 'Alert on Unexpected Content Types' script

189 views
Skip to first unread message

Maxim Voronetski

unread,
Oct 10, 2024, 5:08:32 AMOct 10
to ZAP User Group
Hello
Is there a way to edit the URL list that is parsed by the script?

The thing is, that it thinks that URLs like:
{site}/latest/meta-data/
{site}/swagger/
{site}/swagger/index.html
{site}/graphql/

Should return "application/json" content-type, as if they were API endpoints, not simple html pages with "text/html" content-type

And I can't think of a way to fix it

Thanks

Simon Bennetts

unread,
Oct 10, 2024, 9:55:23 AMOct 10
to ZAP User Group
Hiya,

How are you exploring your app?
Thats how ZAP builds up the list of URLs to check.

Cheers,

Simon

kingthorin+zap

unread,
Oct 10, 2024, 1:25:33 PMOct 10
to ZAP User Group
There isn't exclusions per rule, however you could create an Alert Filter to address them before the report is generated.

Maxim Voronetski

unread,
Oct 14, 2024, 5:42:49 AMOct 14
to ZAP User Group

zap-stable zap-api-scan.py -t ${{Parameters.owaspUrl}} -f openapi 

where  ${{Parameters.owaspUrl}}  is site address
четверг, 10 октября 2024 г. в 15:55:23 UTC+2, psi...@gmail.com:

Simon Bennetts

unread,
Oct 17, 2024, 4:38:02 AMOct 17
to ZAP User Group
This implies that your OpenAPI spec includes HTML endpoints.
Can you confirm that?
If so, can you remove them from the spec?
If not we can look at the existing options to exclude them.

Cheers,

Simon

Maxim Voronetski

unread,
Oct 17, 2024, 11:55:35 AMOct 17
to zaprox...@googlegroups.com

How can I confirm it?
From what I know - we don't have any html endpoints, only swagger for endpoint testing.
Plus, how can I exclude the urls if I know them?


--
ZAP by Checkmarx: https://www.zaproxy.org/
---
You received this message because you are subscribed to the Google Groups "ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/a58786a6-d40c-4ad0-981d-6b277544af00n%40googlegroups.com.

Maxim Voronetski

unread,
Oct 17, 2024, 4:10:38 PMOct 17
to ZAP User Group
I don't understand, how does it scan for the endpoints having only site address

четверг, 17 октября 2024 г. в 17:55:35 UTC+2, Maxim Voronetski:

Simon Bennetts

unread,
Oct 23, 2024, 12:46:48 PMOct 23
to ZAP User Group
ZAP doesnt only have the site address.
It has the definition of the OpenAPI spec - you are passing that URL into ZAP, right?

Maxim Voronetski

unread,
Oct 28, 2024, 11:26:33 AMOct 28
to ZAP User Group
Yes,
.../swagger/index.html
and
.../graphql/

and the problem is - he thinks that those are also APi endpoints

среда, 23 октября 2024 г. в 18:46:48 UTC+2, psi...@gmail.com:

kingthorin+zap

unread,
Oct 28, 2024, 12:34:11 PMOct 28
to ZAP User Group
.../swagger/index.html

Isn't a spec URL, it's an html page as it says.

Maxim Voronetski

unread,
Oct 29, 2024, 4:59:04 AMOct 29
to ZAP User Group
yes, we feed those 2 pages to ZAP and get reports, with errors that pages like:
.../swagger/
.../swagger/index.html 
have unexpected content-type

понедельник, 28 октября 2024 г. в 17:34:11 UTC+1, kingthorin+zap:

Simon Bennetts

unread,
Oct 29, 2024, 5:39:54 AMOct 29
to ZAP User Group
The ZAP API packaged scan supports OpenAPI, SOAP, and GraphQL.
You are supplying an HTML page, that will not work.
If you don't have a supported API spec then use one of the other options for exploring your app: https://www.zaproxy.org/docs/getting-further/automation/exploring-your-app/

Cheers,

Simon

Maxim Voronetski

unread,
Oct 29, 2024, 6:32:37 AMOct 29
to ZAP User Group

Look, I just have two pages:
https://{site}/swagger/index.html 
https://{site}/graphql/

That I pass as parameter Parameters.owaspUrl into:
            docker run -e ZAP_AUTH_HEADER_VALUE="Bearer $(owasp-token)" --rm --user root -v $(pwd):/zap/wrk/:rw -t softwaresecurityproject/zap-stable zap-api-scan.py -t ${{Parameters.owaspUrl}} -f openapi -r ${{Parameters.owaspReport}} -I

And then I have my two reports, which have, amongst others, those errors:
A Content-Type of text/html was returned by the server.
This is not one of the types expected to be returned by an API.
Raised by the 'Alert on Unexpected Content Types' script 

And all I want to know, if there's a way to fix or supress those

вторник, 29 октября 2024 г. в 10:39:54 UTC+1, psi...@gmail.com:

Maxim Voronetski

unread,
Oct 29, 2024, 6:34:07 AMOct 29
to ZAP User Group
Should I just pass swagger.json instead of .. /swagger/index.html ?

вторник, 29 октября 2024 г. в 11:32:37 UTC+1, Maxim Voronetski:

Maxim Voronetski

unread,
Oct 29, 2024, 6:53:54 AMOct 29
to ZAP User Group
passing swagger.json didn't solve existing problems and added some new ones...

вторник, 29 октября 2024 г. в 11:34:07 UTC+1, Maxim Voronetski:

Simon Bennetts

unread,
Oct 29, 2024, 6:55:13 AMOct 29
to ZAP User Group
Yes, you need to pass in the swagger.json file / URL.

You will need to tell us what problems you are seeing, we are not telepathic :)

Maxim Voronetski

unread,
Oct 29, 2024, 7:03:31 AMOct 29
to ZAP User Group
New errors:
  • This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page.
  • The response appeared to contain common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages.
But I can, probably, handle those. The problem is that the error:

  • A Content-Type of text/html was returned by the server. This is not one of the types expected to be returned by an API. Raised by the 'Alert on Unexpected Content Types' script
didn't go away
вторник, 29 октября 2024 г. в 11:55:13 UTC+1, psi...@gmail.com:

Simon Bennetts

unread,
Oct 30, 2024, 8:57:43 AMOct 30
to ZAP User Group
For the "Content-Type of text/html" issues, look at the URLs its raised against.
Are those URLs references in the swagger.json file?

Maxim Voronetski

unread,
Oct 30, 2024, 10:12:55 AMOct 30
to ZAP User Group

Nope, they aren't
среда, 30 октября 2024 г. в 13:57:43 UTC+1, psi...@gmail.com:

Simon Bennetts

unread,
Oct 31, 2024, 7:03:54 AMOct 31
to ZAP User Group
Can you give us sanitised versions of what they are?
You'll need to give us something to work with...

Maxim Voronetski

unread,
Nov 13, 2024, 5:34:34 AMNov 13
to ZAP User Group
I believe, I gave those already, but ok:
https://.../latest/meta-data/
https://.../swagger/
https://.../swagger/index.html
https://.../swagger/index.html?class.module.classLoader.DefaultAssertionStatus=nonsense
https://.../swagger?class.module.classLoader.DefaultAssertionStatus=nonsense


четверг, 31 октября 2024 г. в 12:03:54 UTC+1, psi...@gmail.com:

Simon Bennetts

unread,
Nov 13, 2024, 8:43:10 AMNov 13
to ZAP User Group
Ah, OK.
Those requests are being made by some of the active scan rules.
Right now you would need to either ignore those specific findings or disable those rules.

Cheers,

Simon

Maxim Voronetski

unread,
Nov 13, 2024, 9:14:21 AMNov 13
to ZAP User Group

How can I find those speific rules?
среда, 13 ноября 2024 г. в 14:43:10 UTC+1, psi...@gmail.com:

Simon Bennetts

unread,
Nov 14, 2024, 6:49:56 AMNov 14
to ZAP User Group
I searched the source code - it will all be in https://github.com/zaproxy/zap-extensions
The rules I spotted that definitely make thse requests:
I'm not sure offhand about the other 2, it is possible that they will always be accessed?

Cheers,

Simon

Maxim Voronetski

unread,
Nov 18, 2024, 5:52:41 AMNov 18
to ZAP User Group

Sorry, how can I disable those when launching ZAP scan via CLI?
четверг, 14 ноября 2024 г. в 12:49:56 UTC+1, psi...@gmail.com:

Simon Bennetts

unread,
Nov 21, 2024, 12:53:27 PMNov 21
to ZAP User Group
In an earlier comment you said you were using the packaged API scan.

You will want to define and set a configuration file, which is detailed on https://www.zaproxy.org/docs/docker/baseline-scan/#configuration-file
You can first get the API scan to generate the file, then edit it to disable those rules, and then pass that in when you run it again.

Cheers,

Simon
Reply all
Reply to author
Forward
0 new messages