4

Is that possible to testing rest-api via OWASP ZAP ? Url to attack worked just for GET requests.

enter image description here

For example, my api controllers work with only token. I have TokenController and this controller require POST data via JSON data include password and login. Can I someway testing this controller via OWASP ?

Сергей
  • 780
  • 4
  • 13
  • 31
  • How did you eventually figured this out ? With the owasp zap in a docker env like the answer below ? – achahbar Jan 08 '19 at 10:27

2 Answers2

5

The short answer is yes. The long answer - it's complicated :)

Testing REST API is a bit harder than testing web API - you'll have to give Zap information about your API - which endpoints it has, parameters, etc. Can you share more about you're API? Does it have OpenAPI/Swagger document? Do you have existing tests? You can use either one of those for this task.

I gave a talk about how this can be achieved - you can find the recording here.

Omer Levi Hevroni
  • 1,935
  • 1
  • 15
  • 33
  • does it mean that automatically testing is impossible ? – Сергей Aug 06 '18 at 11:34
  • 2
    Do you have a definition for your API? If so then have a look at https://github.com/zaproxy/zaproxy/wiki/ZAP-API-Scan If not, do you have any exiting tests? If you dont have those either then its going to be hard for any automated tool to explore your API. – Simon Bennetts Aug 06 '18 at 11:58
  • Yes, as Simon said :) If you want to use existing tests you can follow this guide: https://github.com/Soluto/owasp-zap-glue-ci-images – Omer Levi Hevroni Aug 06 '18 at 12:02
  • Is it only possible to scan api's through owasp zap runned on docker ? I deployed this while following this tutorial https://kasunkodagoda.com/2017/09/03/introducing-owasp-zed-attack-proxy-task-for-visual-studio-team-services/ Inside a vm that run the owasp zap program – achahbar Jan 08 '19 at 09:57
0

It possible to automate API testint with OWASP ZAP, but to perform the tests, I see two options: Offer some usage pattern, for example OpenAPI for ZAP consider extracting the information. And a second option would be to run an automated test to capture ZAP as passive scan information, and after that you can test the session information.

We recommend using the OpenAPI documentation. The cucumber test would look like this:

Feature: Security
  This feature is to test pokemon service security

  Scenario: Validate passive and active scan
    Given I import context from open API specification "/v2/api-docs"
    And I remove alerts
      | url                    |
      | http://.*/v2/api-docs* |
    And I import scan policy "javaclean" from file "javaclean.policy"
    When I run active scan
    And I generate security test HTML report with name "java-clean-security-report"
    Then the number of risks per category should not be greater than
      | low | medium | high | informational |
      | 0   | 0      | 0    | 0             |

I am develop step for ZAP, view in the GitHub: https://github.com/osvaldjr/easy-cucumber/wiki/Security-steps

Example step for import OpenAPI docs:

@Given("^I import context from open API specification \"([^\"]*)\"$")
  public void iImportContextFromOpenAPISpecification(String path)
      throws ClientApiException, InterruptedException {
    String url = getTargetUrl() + path;
    log.info("Import Open API from url: " + url);
    zapProxyApi.openapi.importUrl(url, null);

    waitPassiveScanRunning();
    verifyThatTheProxyHasCapturedHostInformation();
  }

View others steps in: https://github.com/osvaldjr/easy-cucumber/blob/master/src/main/java/io/github/osvaldjr/stepdefinitions/steps/SecuritySteps.java

Lucas Carnevalli
  • 62
  • 7