Scanning APIs with ZAP-API-Scan (Post Requests in Swagger UI)
2,771 views
Skip to first unread message
apps...@gmail.com
Feb 9, 2018, 3:54:32 PM2/9/18
to OWASP ZAP Developer Group
Hi everyone,
In a given scenario, how does zap-api-scan.py handle HTTP POST requests in Swagger UI fields? If a POST body is needed to make a valid API call, how can zap-api-scan.py successfully perform security tests while at the same time making API calls that work?
I've set my swagger URLs as the target for API scans, but requests that require a POST body aren't working correctly because zap-api-scan doesn't know the information to input. One method to accomplish this is to import the JSON definition file, but is that the only way currently? I'd like to have a way for posts to work with Swagger.
The ZAP tool I'm referencing is linked below. The use of HTTP Headers was addressed in the configuration files, but I couldn't find anything on configuring POST bodies. Please let me know if I'll have to use the original ZAP OWASP tool for this instead.
Thank you.
psiinon
Feb 12, 2018, 6:45:03 AM2/12/18
to OWASP ZAP Developer Group
This is covered (briefly;) in the Open API Help file: https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsOpenapiOpenapi#user-specified-values
The (optional) Form Handler add-on is described in more detail here: https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsFormhandlerFormHandlerHelp
It doesnt support the API but it does allow values to be specified via the configuration file.
I'd recommend playing around with this using the UI and then converting that configuration once you have got it working.
Cheers,
Simon
The (optional) Form Handler add-on is described in more detail here: https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsFormhandlerFormHandlerHelp
It doesnt support the API but it does allow values to be specified via the configuration file.
I'd recommend playing around with this using the UI and then converting that configuration once you have got it working.
Cheers,
Simon
Message has been deleted
user777
Feb 19, 2020, 12:18:17 AM2/19/20
to OWASP ZAP Developer Group
Hi Simon,
Where can we pass the value for query params?
I didn't find any option in ZAP UI tool. Can you please let me know?
Another question - Python scripts to run API scan are available on docker image, is there any other link where I can find python scripts to run scanning APIs?
Thanks
psiinon
Feb 19, 2020, 4:16:21 AM2/19/20
to OWASP ZAP Developer Group
Can you explain what you're looking for in a bit more detail?
Re the existing python scripts, they are all available here: https://github.com/zaproxy/zaproxy/tree/develop/docker
user777
Feb 19, 2020, 4:56:53 AM2/19/20
to OWASP ZAP Developer Group
Thanks for your reply Simon.
I am trying to automate API scan through OpenAPI - ZAP in java based framework.
I got some clue here - https://zaproxy.blogspot.com/2017/04/exploring-apis-with-zap.html to use the ZAPAPI client.
I am able to use ClientApi -> callApi("openapi", "action", "importFile", map) method, but I need to change headers, need to pass values for query params/path params and headers and need to set payload body as well for POST/PATCH requests.
After that I need to run active/passive scans.
Can you please let me know on this?
Thanks.
Reply all
Reply to author
Forward
0 new messages