mozilla :: #websectools

17 Apr 2017
21:22stephendheya thc202 - I'm trying to use the OpenAPI support, and getting an error that Google/GitHub don't seem to know about, if you're around
21:23thc202hi stephend, I am, what is the error?
21:23stephendoh, wondering if it's actually from the exposed API, rather than the plugin or ZAP, itself
21:23stephendhi!
21:24stephendI imported https://firefox.settings.services.mozilla.com/v1/__api__ and had ZAP started spidering it, after installing the addon from the Marketplace
21:24stephendnow got this:
21:24stephendhttps://irccloud.mozilla.com/pastebin/sAvtRidS/
21:24stephendbut I'm not sure which attribute :-)
21:24thc202:)
21:25stephendand too bad this mozilla project doesn't-yet seem to have an OpenAPI version 2
21:25stephend(since 3 is on the horizon, IIRC)
21:25thc202yeah, unfortunately the library does not seem to provide more info than that :/
21:28thc202hm, we should add the bridge to properly get the logs of the library, maybe that would help...
21:30stephendoh, so it's not merely that the addon/library isn't logging more, itself?
21:32thc202it should log more, I'm getting an error saying that it's not properly configured, so we might be missing some useful logs
21:32thc202checking that now
21:34thc202yeah, it should log something, I'm now getting some WARNs (although not that useful...)
21:34stephendaha, thanks
21:34thc202if you want I can upload the version with the changes
21:34stephendI'm trying to find the original developer for this v1 implementation, but she was an intern, so her email bounces
21:35thc202:/
21:36stephendin my use-case, I really would like to be able to invoke a spider and scan for a swagger/open-api endpoint, using the commandline
21:36stephendhttps://zaproxy.blogspot.com/2017/04/exploring-apis-with-zap.html?spref=tw
21:36stephendbut as I think both you and psiinon have pointed out, right now we either have to use the UI of ZAP itself, or one of the language APIs
21:36stephendlike Python
21:37thc202right (it's also possible to use curl/wget to issue the API requests)
21:37stephendso many components to what I'd like to do: CI, headless ZAP, command-line, discover API, spider + scan
21:38stephendoh; guess I'll check that out, then, as a "stopgap"
21:39thc202you can use the ZAP API UI to obtain the "final" URLs to use with curl
21:49stephendalso wondering if I can do this from the zap-cli, but I doubt it: https://github.com/Grunny/zap-cli
21:49stephendbut looks like I should be able to from the official Docker image, which includes a bunch of the tools: https://github.com/zaproxy/zaproxy/wiki/Docker
21:50thc202I think so, you just need to start the spider/ascan (zap-cli allows that)
21:51thc202yeah, Docker image includes zap-cli and Python client
21:54stephendbut I'd have to get the site tree for the swagger/openapi endpoint into ZAP, which means installing the add-on
21:54stephendhmm
21:55stephendI guess I *could* also build a custom Docker or shell-script to take care of this, so I can customize it more
21:55stephender, Dockerfile
21:56thc202you can install the add-on through the command line
21:57thc202-addoninstall openapi
21:59stephendoh duh, yes - sorry, overwhelmed with my choices, and under pressure to get something for my Q2 goal in :-(
18 Apr 2017
No messages
   
Last message: 11 days and 4 hours ago