3

I'm curious as to how ZAP can be used to test RESTAPIs in the context of API security. Is it just the OpenAPI add on that can be used or are there other(more effective) methods?

vuln3x
  • 41
  • 3

2 Answers2

4

Theres a ZAP FAQ for that :) https://www.zaproxy.org/faq/how-can-you-use-zap-to-scan-apis/ :

ZAP understands API formats like JSON and XML and so can be used to scan APIs.

The problem is usually how to effectively explore the APIs.

There are various options:

  • If your API has an OpenAPI/Swagger definition then you can import it using the OpenAPI add-on.
  • If you have a list of endpoint URLs then you can import these using the Import files containing URLs add-on.
  • If you have regression tests for you API then you can proxy these through ZAP

The add-ons are available from the ZAP Marketplace.

Once ZAP knows about the URL endpoints it can scan them in the same way as it scans HTML based web sites.

If you don't have any of these things then post to the ZAP User Group explaining what you are trying to do and the problems you are having.

For more details see the blog post Scanning APIs with ZAP.

Simon Bennetts
  • 5,479
  • 1
  • 14
  • 26
  • I have been following the steps in the FAQ but the OpenApi fails to parse the URL. Any idea why this is happening? – vuln3x Jun 18 '20 at 12:50
1

Also the good idea is using Fuzzer from OwaspZap.

Fuzzing allows you to trigger an unexpected behavour from API server by submitting malformed requests, malformed parameters and guessing unpublished API methods.

You can read what is fuzzing here:https://owasp.org/www-community/Fuzzing

It will allow you to fuzz URL string or a single parameter.

To start fuzzer you will need to:

  1. Right click on the request -> attack -> Fuzz..
  2. Highlight the parameter you want to use and click "Add" button
  3. Click Add in the new payloads window, choose the appropriate option and click add payload.

I would recommend to choose "file fuzzers" options at step 3 and choose one of the pre-defined wordlists, or export your own one. You can use Seclists to find a bunch of fuzzing wordlists. Here is the set of wordlists designed for API fuzzing https://github.com/danielmiessler/SecLists/tree/master/Discovery/Web-Content/api

Furthermore, OwaspZap allows you to perform manual API testing if you know the methodology. Here you can find some links related to REST security:

https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html https://cheatsheetseries.owasp.org/cheatsheets/REST_Assessment_Cheat_Sheet.html

a_bridges
  • 386
  • 4
  • 11