Configure OpenAPI Scans with specific values

[rseedorff]

As a user i would like to configure the OpenAPI scans with specific values instead of the default ones. More Informations on that can be found here: https://zaproxy.blogspot.com/2017/06/scanning-apis-with-zap.html

Specifying Values

ZAP will use a set of default values when importing APIs. In some cases these will not be suitable values for a specific application, and therefore will not exercise enough of the code. For example a username of “test” might not cause a new user to be created as it is not a valid email address.
For APIs defined using OpenAPI/Swagger you can specify the values you want ZAP to use via ZAP command line options.
For example the options:
-config formhandler.fields.field(0).fieldId=username
-config formhandler.fields.field(0).value=[email protected]
-config formhandler.fields.field(0).enabled=true
-config formhandler.fields.field(1).fieldId=phone
-config formhandler.fields.field(1).value=012345678
-config formhandler.fields.field(1).enabled=true
Will supply the following values to the named fields:
username -> [email protected]
phone -> 012345678

The above quote shows an command line example, but our ZAP microservice implementation depends on the ZAP Rest API. Maybe there is an Rest Endpoint for this configuration option?

[rseedorff]

Configure OpenAPI Scans with specific values