Add endpoints via API

[GilFernandes2000]

Hello everyone,

I was doing some dictionary attacks to try to find directories that cannot be found using, for example, the Spider/AJAX Spider from ZAP.
Just to be clear, I know that ZAP has a built-in feature to make dictionary attacks using dirbuster but that feature is not available on the ZAP automation framework(Packaged Scans).
So I decided to use gobuster to perform the dictionary attacks. Because it's outputs are not currently supported by DefectDojo I have to insert them using the API. However, when I do so the results appear differently from the ones that I get when parsing the ZAP report. I will leave some examples.

In the first image, we see an import using the API with the results from gobuster and in the second the same endpoint was obtained by parsing the zap file. The "gobuster@" appears because it is mandatory to have "userinfo" when uploading an endpoint through the API. Is there a way to make it appear the same as the one got by the ZAP report? It would help to also deduplicate the endpoints.

Thank you all in advance.

[manuel-sommer]

Hi @GilFernandes2000 ,

could you please open up an issue with a sample file? Then, it is easier to reproduce the issue and fix the bug.
With "using the API" you are talking about the REST API with the import / reimport findings endpoint, right?

[GilFernandes2000]

Hi,

I was using the POST on the /endpoints.
Now I'm trying to see if I can upload endpoints via a POST on the /findings. I saw in the response body that there was an array called endpoints but I'm not sure how to populate it in the request body.

Do you have any suggestions on the best way to upload endpoints via de API?

[Jon-the-2nd]

hi @GilFernandes2000, @manuel-sommer ,

I have a similar issue as there seems to be no way to include (new) endpoints when creating a finding (POST /api/v2/findings) or even link the id of an existing endpoint.

Am I missing something?

[GilFernandes2000]

Hi @Jon-the-2nd,

What I did was create the endpoint and the finding separately and then combined them through the /api/v2/endpoint_status endpoint where you can associate the endpoint id with the finding id.

Hope it helps.

[Jon-the-2nd]

hi @GilFernandes2000,

Yes, I came to that conclusion too, yesterday evening. But I was kind of hoping there would be an easier solution, similar to the 'Endpoints to add' field when you create a finding manually in the GUI. This field also appears to exist when calling /api/v2/import-scan/, so I was expecting similar logic when calling /api/v2/findings/.

But thanks a lot for confirming that I can get it to work by taking the long road :-)