Automated testing of rest api using ZAP weekly docker image.
950 views
Skip to first unread message
shinto cv
Jan 12, 2018, 1:11:09 AM1/12/18
to OWASP ZAP User Group
Hi,
I am trying to automate pentesting of RESTful API. I followed this blog post by Simon Bennets :
https://zaproxy.blogspot.in/2017/06/scanning-apis-with-zap.html.
I have a written a python script to do the testing. I haved added the code at the end of this post.
I am able to run the test with it but I am not getting the report. I checked the /zap/wrk direcotry in the container and the host directory I mount to /zap/wrk. The report is not there. What am I doing wrong?
Another thing I am getting a number of errors like the following in the zap logs.
Anyone got any idea as to why this occurs?
Finally I would like to add running of this test to Jenkins pipeline. I know there is a plugin available for Zap in jenkins. Can any plugin be used to run testing of RESTful APIs in Jenkins?
If not I will have to rely on running this script asynchronously, since it is a long running process. In that case, what would you suggest I do for notifying (gmail / slack) notification in case of security alerts?
Thanks in advance.
I am trying to automate pentesting of RESTful API. I followed this blog post by Simon Bennets :
https://zaproxy.blogspot.in/2017/06/scanning-apis-with-zap.html.
I have a written a python script to do the testing. I haved added the code at the end of this post.
I am able to run the test with it but I am not getting the report. I checked the /zap/wrk direcotry in the container and the host directory I mount to /zap/wrk. The report is not there. What am I doing wrong?
Another thing I am getting a number of errors like the following in the zap logs.
2012232 [ZAP-ActiveScanner-1] WARN org.parosproxy.paros.core.scanner.VariantJSONQuery - Failed to parse the request body: Input is invalid JSON; does not start with '{' or '[', c=-1
java.lang.IllegalArgumentException: Input is invalid JSON; does not start with '{' or '[', c=-1
at org.parosproxy.paros.core.scanner.VariantJSONQuery.parseObject(VariantJSONQuery.java:117)
at org.parosproxy.paros.core.scanner.VariantJSONQuery.parseContent(VariantJSONQuery.java:61)
at org.parosproxy.paros.core.scanner.VariantAbstractRPCQuery.setRequestContent(VariantAbstractRPCQuery.java:167)
at org.parosproxy.paros.core.scanner.VariantAbstractRPCQuery.setMessage(VariantAbstractRPCQuery.java:51)
at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scan(AbstractAppParamPlugin.java:161)
at org.parosproxy.paros.core.scanner.AbstractPlugin.run(AbstractPlugin.java:338)
at java.lang.Thread.run(Thread.java:748)
Anyone got any idea as to why this occurs?
Finally I would like to add running of this test to Jenkins pipeline. I know there is a plugin available for Zap in jenkins. Can any plugin be used to run testing of RESTful APIs in Jenkins?
If not I will have to rely on running this script asynchronously, since it is a long running process. In that case, what would you suggest I do for notifying (gmail / slack) notification in case of security alerts?
Thanks in advance.
""" Scans APIs for security vulnerabilities using OWASP ZAP """
import os
import sys
import docker
import requests
JWT_TOKEN_CONFIG = ' '.join([
r'-config replacer.full_list\(0\).description=auth1',
r'-config replacer.full_list\(0\).enabled=true',
r'-config replacer.full_list\(0\).matchtype=REQ_HEADER',
r'-config replacer.full_list\(0\).matchstr=X-Jwt-Token',
r'-config replacer.full_list\(0\).regex=false',
r'-config replacer.full_list\(0\).replacement=',
])
USER_DETAILS = {
"password": "somepwd"
}
def get_jwt_token():
""" get jwt token from account service """
jwt_token = resp['data']['token']
print 'JWT token: %s\n' % (jwt_token,)
return jwt_token
def form_zap_command(openapi_spec_file):
""" form the zap command to run """
zap_command = ' '.join([
'zap-api-scan.py',
'-t ' + openapi_spec_file,
'-f openapi',
'-z "' + JWT_TOKEN_CONFIG + get_jwt_token() + '"',
'-r /zap/wrk/zap_report.html',
'-c zap_config',
])
print zap_command
return zap_command
def start_scan(openapi_spec_absolute_path):
spec_directory, spec_file = os.path.split(openapi_spec_absolute_path)
zap_command = form_zap_command(spec_file)
docklient = docker.from_env()
container_run_parameters = {
'image': 'owasp/zap2docker-weekly',
'command': zap_command,
'volumes': {
spec_directory + '/': {'bind': '/zap/wrk', 'mode': 'rw'}
},
'detach': True
}
container = docklient.containers.run(**container_run_parameters)
print container
return container
if __name__ == '__main__':
if len(sys.argv) != 2:
print 'usage:'
print 'python pentest-api.py <absolute-path-to-openapi-spec-of-api>'
sys.exit(1)
openapi_spec_abs_path = sys.argv[1]
container = start_scan(openapi_spec_abs_path)
print container.logs()
# container = start_scan('/home/shinto/shinto/Documents/accounts.json')
# for line in container.logs(stream=True):
# print line.strip()
Stephen Hookings
Nov 20, 2018, 7:25:58 AM11/20/18
to OWASP ZAP User Group
I hit this issue. I am new to Docker so I found I could pass in a local mount point as if it were /zap/wrk
sudo docker -v /home/shooking/Documents:/zap/wrk run -t owasp/zap2docker-weekly zap-api-scan.py -t api-docs.json -f openapi
And then at least I could make progress.
It seems if one gives a valid URL for openapi at least there is no need to "look" for the file.
But if you give a file it seems to want find the file in the /zap/wrk -- and since that lives in the docker I figured why not put the file in MY location, and tell ZAP its location is really my location. Just like ln -s "old school Unix".
If there is a better solution please let me know.
Regards
Steve H
Steve H
Reply all
Reply to author
Forward
0 new messages