zap.sh api scan config

I would like to use zap.sh or zap.jar for to scan openapi api, but I do not have to much luck yet. (Docker is not an option)

So I have a problem with api scan with jar (but it also a problem with zap.sh) so I have already installed required add-ons but it seams to me, it does not work at all.

# java –version
openjdk 11.0.18

#java -jar zap-D-2023-04-10.jar -h | grep “openapi”
        -openapifile <path>      Imports an OpenAPI definition from the specified file name
        -openapiurl <url>        Imports an OpenAPI definition from the specified URL
        -openapitargeturl <url>  The Target URL, to override the server URL present in the OpenAPI definition. Refer to the help for supported format.

# java -jar zap-D-2023-04-10.jar -cmd -addonlist | grep “OpenAPI”
Levo.ai levoai  v0.2.0  alpha   Build OpenAPI Specs with ZAP traffic using Levo.ai.
OpenAPI Support openapi v34.0.0 beta    Imports and spiders OpenAPI definitions.

# java -jar zap-D-2023-04-10.jar \
-cmd \
-addonupdate \
-config api.disablekey=true \
-openapitargeturl foo.com/swagger/v1/swagger.json

and it gives back nothing just a blank line, i have also stared in damon mood, but I got the same result:

20615 [ZAP-daemon] INFO  org.parosproxy.paros.CommandLine – Add-on update check complete
20639 [ZAP-daemon] INFO  org.zaproxy.addon.network.ExtensionNetwork – ZAP is now listening on localhost:8080
(end of the log)

Anyone have a working config for openapi api scanning with zap.sh or .jar? Do you have any suggestion for this config?

Read more here: Source link