This is an interesting exercise in how ZAP handles Swagger files on import. My primary concern is that ZAP does not support importing injectable URL parameters from a Swagger file, and interprets a path like {id}
as a literal id
string.
You can see the difference between the endpoints that NightVision discovers (on the left) and the spidered URLs from ZAP (on the right): https://www.diffchecker.com/JKaeR6rg/ (expires in 30 days).
If you clone this gist, you can run python3 print_endpoints.py
to print the endpoints that are in swagger-paths.csv
(the ones discovered by NightVision).
And you can see the endpoints that are discovered by the ZAP Spider in spidered-paths.csv
.