ZAP API Scan target/normalised URL

34 views
Skip to first unread message

Jack Percy

unread,
Jun 26, 2024, 2:23:18 PM (6 days ago) Jun 26
to ZAP User Group
Hi,

I am running a scan with zap-api-scan.py through docker.

I have an SPA hosted at "https://my-site.example/" and the API at "https://my-site.example/api/". The API scan is run by passing the OpenAPI spec as the target at "https://my-site.example/api/swagger/swagger.json". This works fine, authentication is fine and data is added to the database. Alerts are raised based on issues found with the API endpoints, which will be corrected.

The problem is that it also scans the SPA routes, so I end up with alerts in my API report that I do not want. (A separate baseline scan is running against the SPA).

I am able to provide a context file to the scan, in order to try and include/exclude certain URLs so that a do not get the SPA alerts. The context file is picked up correctly, I can set "incregexes" to "https://my-site.example.*" and the scan runs fine. If I then set the "incregexes" to "https://my-site.example/api.*" I get an error of "URL_NOT_IN_CONTEXT". Setting "excregexes" to "^((?!api).)*$", i.e. exclude where not contains "api", gives the same error.

In zap-api-scan.py I can see the target URL being normalised to remove the path: https://github.com/zaproxy/zaproxy/blob/6fd1955432474c55b3136956610fc798829a5510/docker/zap-api-scan.py#L473

So I assume when I use the incregexes and excregexes, the scan is always trying to start at the root URL, hence throws the error that the URL is not in the context?

Hoping you can provide some other ideas in how I can filter these alerts out please?

Is there a way to get incregexes and excregexes to work how I am trying? Can I create an alert filter that applies to all alerts and exclude the URL there? Is there an alternative?

IMO the best solution is to not even scan other URLs and only hit the ones in the OpenAPI spec, but if that can't be done then I will just have to take a more verbose approach to filtering out the alerts from non-API routes.

Many thanks,
Jack

Simon Bennetts

unread,
Jul 1, 2024, 10:17:55 AM (yesterday) Jul 1
to ZAP User Group
Hi Jack,

The packaged scans are somewhat inflexible.
Have a look at the Automation Framework - that will give you a lot more flexibility: https://www.zaproxy.org/docs/automate/automation-framework/

Cheers,

Simon

Reply all
Reply to author
Forward
0 new messages