Reputation: 301
Zed Attack Proxy (ZAP) - OpenAPI Scan - Bad request to API endpoint [/JSON/openapi/view/results/] - ApiException: BAD_VIEW (results)
Here a the request in my bash script that launch openapi scan :
BASE_ZAP_URL="http://localhost:8080/JSON" OPENAPI_URL="${BASE_ZAP_URL}/openapi/action/importFile/" OPENAPI_FILE_PATH="openapi.json" OPENAPI_SCAN_RESPONSE=$(curl "${OPENAPI_URL}?apikey=${ZAP_API_KEY}&target=${TARGET_URL}&file=${OPENAPI_FILE_PATH}")
My script is running. My target is scanning. I received a few requests on my target. Then after a few seconds. I got this error in my DOCKER console:
"2024-11-21 22:46:15 223693 [ZAP-IO-Server-1-1] WARN org.zaproxy.zap.extension.api.API - Bad request to API endpoint [/JSON/openapi/view/results/] from [172.17.0.1]: 2024-11-21 22:46:15 org.zaproxy.zap.extension.api.ApiException: BAD_VIEW (results) [...]"
If I'm not mistaken, as soon as the first problem is raised, zap tries to add it to “/JSON/openapi/view/results” (its own endpoint) but can't find it, so the code stops by itself.
I'm not sure whether the problem is mine (perhaps a missing configuration), or whether it's ZAP's fault.
I am stuck with this 🙃 and I can't find any information about it.
Could someone please help me?
I checked that the problem was not linked to the curl command. But I'm receiving the first scan requests. Then I tried to make the request non-sensitive to fails, with the -f argument, but it doesn't help.
Also:
Req: curl http://localhost:8080/JSON/openapi/view/results?apikey=${ZAP_API_KEY}
Res: {"code":"bad_view","message":"Bad View"}
Req: curl -I http://localhost:8080/JSON/openapi/view/results?apikey=${ZAP_API_KEY}
Res:
HTTP/1.1 400 Bad Request Pragma: no-cache Cache-Control: no-cache, no-store, must-revalidate Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src 'self'; child-src 'self'; img-src 'self' data:; fontdddata:; font-src 'self' data:; style-src 'self' data:; font-src 'self' data:; style-src 'self' data:; font-src 'self' data:; style-src 'self' data:; font-src 'self' data:; style-src 'self' data:; font-src 'self' data:; style-src 'self' data:; font-src 'self' data:; style-src 'self' Referrer-Policy: no-referrer Access-Control-Allow-Methods: GET,POST,OPTIONS Access-Control-Allow-Headers: ZAP-Header X-Frame-Options: DENY X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Clacks-Overhead: GNU Terry Pratchett Content-Length: 40 Content-Type: application/json; charset=UTF-8
Upvotes: 1
Views: 83
Answers (1)
Reputation: 6216
As per the bug you raised, there is no such endpoint. The available endpoints for this add-on are listed on https://www.zaproxy.org/docs/desktop/addons/openapi-support/#api :
The following operations are added to the API:
ACTION importFile (file, target, contextId, userId)
ACTION importUrl (url, hostOverride, contextId, userId)
Both target and hostOverride support the Target URL format explained earlier.
The definitions will be imported synchronously and any warnings will be returned.
Upvotes: 2
Related Questions
- OWASP Zed Attack Proxy Scan in DevOps pipeline
- Convert multipart/form-data cURL to Fetch node js
- ZAP active scan works in desktop but fails in docker image with url_not_in_context error
- Webhook on Heroku hosted app not updating
- curl post request is not working with option --http2, but it works fine when I use --http2-prior-knowledge
- How to get curl results as variable in PowerShell
- How to run OWASP Zed Attack Proxy ZAP's zap-api-scan.py without requiring docker
- Why wont the Zed Attack Proxy (ZAP) start
- ZAP Attack proxy History Request ID is not consecutive