I would like to use zap.sh or zap.jar for to scan openapi api, but I do not have to much luck yet. (Docker is not an option)
# java –version
openjdk 11.0.18
#java -jar zap-D-2023-04-10.jar -h | grep “openapi”
-openapifile <path> Imports an OpenAPI definition from the specified file name
-openapiurl <url> Imports an OpenAPI definition from the specified URL
-openapitargeturl <url> The Target URL, to override the server URL present in the OpenAPI definition. Refer to the help for supported format.
# java -jar zap-D-2023-04-10.jar -cmd -addonlist | grep “OpenAPI”
Levo.ai levoai v0.2.0 alpha Build OpenAPI Specs with ZAP traffic using Levo.ai.
OpenAPI Support openapi v34.0.0 beta Imports and spiders OpenAPI definitions.
# java -jar zap-D-2023-04-10.jar \
-cmd \
-addonupdate \
-config api.disablekey=true \
-openapitargeturl foo.com/swagger/v1/swagger.json
and it gives back nothing just a blank line, i have also stared in damon mood, but I got the same result:
20615 [ZAP-daemon] INFO org.parosproxy.paros.CommandLine – Add-on update check complete
20639 [ZAP-daemon] INFO org.zaproxy.addon.network.ExtensionNetwork – ZAP is now listening on localhost:8080
(end of the log)
Anyone have a working config for openapi api scanning with zap.sh or .jar? Do you have any suggestion for this config?
Read more here: Source link