search

zaproxy / zap-api-dotnet

ZAP Dot NET API
Apache License 2.0
35 stars 35 forks source link

API not working as it should in C# after update to 2.12.0 #17

Open Danieldotz opened 1 year ago

Danieldotz commented 1 year ago

Describe the bug

Since the update to 2.12.0 the API call _api.alert.alerts has not been working as it should.

image

I keep getting this error... this code was working before the update.

Someone suggested it had to do with how I declared _apiResponse: image

But that wouldnt explain that all other functions are working and only when I try to run getAlerts or _api.alert.alerts i get this error. This code is from the C# examples here in the OWASP Zap github.

Maybe the syntax changed? I dont know, could someone help me?

Steps to reproduce the behavior

In C# use the call _api.alerts.alert

Expected behavior

Return the alerts currently listed in OWASP Zap

Software versions

OWASP ZAP Version: 2.12.0

Installed Add-ons: [[id=alertFilters, version=14.0.0], [id=ascanrules, version=49.0.0], [id=automation, version=0.19.0], [id=bruteforce, version=12.0.0], [id=callhome, version=0.5.0], [id=commonlib, version=1.11.0], [id=custompayloads, version=0.12.0], [id=database, version=0.1.0], [id=diff, version=12.0.0], [id=directorylistv1, version=5.0.0], [id=domxss, version=14.0.0], [id=encoder, version=0.7.0], [id=exim, version=0.3.0], [id=formhandler, version=6.1.0], [id=fuzz, version=13.8.0], [id=gettingStarted, version=14.0.0], [id=graaljs, version=0.3.0], [id=graphql, version=0.11.0], [id=help, version=15.0.0], [id=hud, version=0.15.0], [id=importurls, version=9.0.0], [id=invoke, version=12.0.0], [id=network, version=0.5.0], [id=oast, version=0.13.0], [id=onlineMenu, version=10.0.0], [id=openapi, version=30.0.0], [id=pscanrules, version=44.0.0], [id=quickstart, version=35.0.0], [id=replacer, version=11.0.0], [id=reports, version=0.16.0], [id=requester, version=7.0.0], [id=retest, version=0.4.0], [id=retire, version=0.17.0], [id=reveal, version=5.0.0], [id=saverawmessage, version=7.0.0], [id=savexmlmessage, version=0.3.0], [id=scripts, version=33.0.0], [id=selenium, version=15.11.0], [id=soap, version=15.0.0], [id=spider, version=0.1.0], [id=spiderAjax, version=23.10.0], [id=tips, version=10.0.0], [id=webdriverlinux, version=46.0.0], [id=websocket, version=27.0.0], [id=zest, version=37.0.0]]

Operating System: Linux Architecture: amd64 Java Version: Debian 11.0.16 System's Locale: en_US Display Locale: en_GB Format Locale: en_US Default Charset: UTF-8 ZAP Home Directory: /home/kali/.ZAP/ ZAP Installation Directory: /opt/zaproxy/./ Look and Feel: FlatLaf Light (com.formdev.flatlaf.FlatLightLaf)

Screenshots

image image

Errors from the zap.log file

Zap does not write anything about this error in the logs

Additional context

No response

Would you like to help fix this issue?

thc202 commented 1 year ago

Unfortunately the .NET API client is not being maintained.

thc202 commented 1 year ago

Could you link to the example you are referring to?

Danieldotz commented 1 year ago

Could you link to the example you are referring to?

https://github.com/zaproxy/zap-api-dotnet/blob/master/src/OWASPZAPDotNetAPI/OWASPZAPDotNetAPI.Samples/SimplePointAndClickScan.cs

Here is the example I am talking about. Under the function PrintAlertsToConsole() youll see the call GetAlerts(), this does the same thing als _api.alerts.alert(). I have tested these both and both return the same error.

thc202 commented 1 year ago

For anyone interested in addressing the issue, the API client implementation is wrongly assuming that the ApiResponseSet can only contain ApiResponseElement, it can also have other types (in this specific case ApiResponseList, the Alert now has tags which is a list).

Ref https://github.com/zaproxy/zap-api-dotnet/blob/59794dada6ffa1629bb414157438504c112c05e9/src/OWASPZAPDotNetAPI/OWASPZAPDotNetAPI/ApiResponseSet.cs#L55

amarcu10 commented 1 year ago

After this update (2.12) our Windows Forms C# application also no longer functioned as it has without issue for over 3 years. The connectivity fails if we try to access the API via our application and via Postman (both Desktop and Browser versions). We are able to access the API without issue from Firefox & Chrome browsers directly. We have now rolled back to the previous version of OWASP (2.11), turned off the update feature and everything works flawlessly again.

gmaran23 commented 1 year ago

@Danieldotz The issue is fixed. Would you be able to verify?

Latest changes here - https://github.com/zaproxy/zap-api-dotnet

Nuget packages are updated too.

amarcu10 commented 1 year ago

After some application refactoring the issue no longer exists. Thanks for being awesome!