zap-api-scan.py not finding any urls from my swagger yaml file

[Chris George]

Hi,

I've been investigating using out swagger yaml file to drive ZAP (2.6), and i've been able to successfully do this through the UI, importing the yaml file from the filesystem.

However, when I run zap-api-scan.py from the docker  weekly container, it does not find any URLs

I'm running 

docker run -v /tmp:/zap/wrk -i owasp/zap2docker-weekly zap-api-scan.py -t /zap/wrk/swagger_reduced.yaml -f openapi -d

2017-06-21 09:37:23,745 ZAP Version D-2017-06-19

2017-06-21 09:37:23,746 Took 18 seconds

2017-06-21 09:37:23,769 Import OpenAPI File /zap/wrk/swagger_reduced.json

2017-06-21 09:37:23,784 Failed to import any URLs

2017-06-21 09:37:23,784 Number of Imported URLs: 0

2017-06-21 09:37:23,784 Import warnings: {u'message': u'Does Not Exist', u'code': u'does_not_exist'}

2017-06-21 09:37:23,784 Active Scan /zap/wrk/ with policy API-Minimal

Is the importer used by zap-api-scan different to that used by the openapi plugin in the ZAP ui?

Any thoughts as to why this might be happening?

Regards

Chris

[Chris George]

I should add that the ability to do this at all is great :-)

[Simon Bennetts]

Where is the swagger_reduced.yaml file located, when you run the above command?

I think it should be in the /tmp directory, as thats the one you are mapping to /zap/wrk

Cheers,

Simon

On Wednesday, 21 June 2017 10:52:30 UTC+1, Chris George wrote:

[Simon Bennetts]

Thats good to hear :)
Now we just need to make sure to works for you ;)

[Simon Bennetts]

Oh, and are the URLs contained in swagger_reduced.yaml local (eg localhost /127.0.0.1) ?

You wont be able to access urls like that from within the docker container, at least not by default.

Cheers,

Simon

[Chris George]

1. the swagger file is located in /tmp.  I tried messing with the filename to check it was actually reading it, and giving the command a file that doesn't exist gives a different error.

2. the yaml file has an external ip/port in the host field

eg (redacted):

  host: "11.22.33.44:1234"

  basePath: "/api/v1"

Chris

[thc...@gmail.com]

Hi.

Seems to be an issue with the script, it's attempting to load:
/zap/wrk/zap/wrk/swagger_reduced.yaml

A workaround is to have the files in both dirs, e.g.:
/tmp/swagger_reduced.yaml
/tmp/zap/wrk/swagger_reduced.yaml

Best regards.

[Chris George]

oh fantastic!! Yes I see the problem in the copious debug output now!  I've copied the file and it's working!

Simon, can this be fixed in the source at some point?

stack trace:

12982 [ZAP-ProxyThread-6] WARN org.zaproxy.zap.extension.api.API  - ApiException while handling API request:

Does Not Exist (does_not_exist) : /zap/wrk/zap/wrk/swagger_reduced.json

at org.zaproxy.zap.extension.openapi.OpenApiAPI.handleApiAction(OpenApiAPI.java:61)

at org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:431)

at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(ProxyThread.java:436)

at org.parosproxy.paros.core.proxy.ProxyThread.run(ProxyThread.java:297)

at java.lang.Thread.run(Thread.java:748)

Cheers

Chris

[Simon Bennetts]

So what happens if you just specify:

docker run -v /tmp:/zap/wrk -i owasp/zap2docker-weekly zap-api-scan.py -t swagger_reduced.yaml -f openapi -d

where the swagger_reduced.yaml file is still in /tmp?

Cheers,

Simon

[Chris George]

"Target must either start with 'http://' or 'https://' or be a local file"

I think it checks the exisitence of the path of the provided file. In this case, there is no path so assumes it is neither a file or url.

Perhaps it should get the path of the file. if it is empty, assume it is a file in the /zap/wrk dir.

Chris

[thc...@gmail.com]

In this specific case the problem is that the script tests/verifies one
path but later it uses other (it appends "/zap/wrk/" to the provided
path when calling the API).

Best regards.

[Simon Bennetts]

I've just raised a bug for this, and will aim to look at it asap: https://github.com/zaproxy/zaproxy/issues/3692

[thc...@gmail.com]

Thank you!

Best regards.

[Chris George]

Awesome. Thanks Simon

[Simon Bennetts]

This has now been fixed: https://github.com/zaproxy/zaproxy/pull/3694
It will be included in the next weekly release and will be in the live docker build as soon as thats finished: https://hub.docker.com/r/owasp/zap2docker-live/builds/

Cheers,

Simon