zap-api-dotnet
zap-api-dotnet copied to clipboard
zaproxy
API not working as it should in C# after update to 2.12.0
Describe the bug
Since the update to 2.12.0 the API call _api.alert.alerts has not been working as it should.
I keep getting this error... this code was working before the update.
Someone suggested it had to do with how I declared _apiResponse:
But that wouldnt explain that all other functions are working and only when I try to run getAlerts or _api.alert.alerts i get this error. This code is from the C# examples here in the OWASP Zap github.
Maybe the syntax changed? I dont know, could someone help me?
Steps to reproduce the behavior
In C# use the call _api.alerts.alert
Expected behavior
Return the alerts currently listed in OWASP Zap
Software versions
OWASP ZAP Version: 2.12.0
Installed Add-ons: [[id=alertFilters, version=14.0.0], [id=ascanrules, version=49.0.0], [id=automation, version=0.19.0], [id=bruteforce, version=12.0.0], [id=callhome, version=0.5.0], [id=commonlib, version=1.11.0], [id=custompayloads, version=0.12.0], [id=database, version=0.1.0], [id=diff, version=12.0.0], [id=directorylistv1, version=5.0.0], [id=domxss, version=14.0.0], [id=encoder, version=0.7.0], [id=exim, version=0.3.0], [id=formhandler, version=6.1.0], [id=fuzz, version=13.8.0], [id=gettingStarted, version=14.0.0], [id=graaljs, version=0.3.0], [id=graphql, version=0.11.0], [id=help, version=15.0.0], [id=hud, version=0.15.0], [id=importurls, version=9.0.0], [id=invoke, version=12.0.0], [id=network, version=0.5.0], [id=oast, version=0.13.0], [id=onlineMenu, version=10.0.0], [id=openapi, version=30.0.0], [id=pscanrules, version=44.0.0], [id=quickstart, version=35.0.0], [id=replacer, version=11.0.0], [id=reports, version=0.16.0], [id=requester, version=7.0.0], [id=retest, version=0.4.0], [id=retire, version=0.17.0], [id=reveal, version=5.0.0], [id=saverawmessage, version=7.0.0], [id=savexmlmessage, version=0.3.0], [id=scripts, version=33.0.0], [id=selenium, version=15.11.0], [id=soap, version=15.0.0], [id=spider, version=0.1.0], [id=spiderAjax, version=23.10.0], [id=tips, version=10.0.0], [id=webdriverlinux, version=46.0.0], [id=websocket, version=27.0.0], [id=zest, version=37.0.0]]
Operating System: Linux Architecture: amd64 Java Version: Debian 11.0.16 System's Locale: en_US Display Locale: en_GB Format Locale: en_US Default Charset: UTF-8 ZAP Home Directory: /home/kali/.ZAP/ ZAP Installation Directory: /opt/zaproxy/./ Look and Feel: FlatLaf Light (com.formdev.flatlaf.FlatLightLaf)
Screenshots
Errors from the zap.log file
Zap does not write anything about this error in the logs
Additional context
No response
Would you like to help fix this issue?
- [X] Yes
Could you link to the example you are referring to?
https://github.com/zaproxy/zap-api-dotnet/blob/master/src/OWASPZAPDotNetAPI/OWASPZAPDotNetAPI.Samples/SimplePointAndClickScan.cs
Here is the example I am talking about. Under the function PrintAlertsToConsole() youll see the call GetAlerts(), this does the same thing als _api.alerts.alert(). I have tested these both and both return the same error.
For anyone interested in addressing the issue, the API client implementation is wrongly assuming that the ApiResponseSet can only contain ApiResponseElement, it can also have other types (in this specific case ApiResponseList, the Alert now has tags which is a list).
Ref https://github.com/zaproxy/zap-api-dotnet/blob/59794dada6ffa1629bb414157438504c112c05e9/src/OWASPZAPDotNetAPI/OWASPZAPDotNetAPI/ApiResponseSet.cs#L55
After this update (2.12) our Windows Forms C# application also no longer functioned as it has without issue for over 3 years. The connectivity fails if we try to access the API via our application and via Postman (both Desktop and Browser versions). We are able to access the API without issue from Firefox & Chrome browsers directly. We have now rolled back to the previous version of OWASP (2.11), turned off the update feature and everything works flawlessly again.
@Danieldotz The issue is fixed. Would you be able to verify?
Latest changes here - https://github.com/zaproxy/zap-api-dotnet
Nuget packages are updated too.
After some application refactoring the issue no longer exists. Thanks for being awesome!