ZAP API Scan for service with authorization

[Valeriia]

Hi, I am ZAP newbie

I tried using ZAP API Scanner for our api services, that are protected by authorization

Although, even when I don't pass any authentication properties to ZAP API Scan, it passes without any issues. 

In fact, it is impossible for scanner to access these endpoints but seems that it doesn't affect test results (trying to access endpoint without token leads to 401; ZAP UI tool fails active scan due to access problems as expected)

I use swagger.yml file as a specification for services and default configuration file with warning level for rules.

docker run -v ${pwd}:/zap/wrk/:rw -t owasp/zap2docker-weekly zap-api-scan.py -t swagger.yml -f openapi -c zap-active-config.file

More interesting is even if I change host parameter in swagger for some nonexisting like "blahblah.com", ZAP API Scanner still shows 100% passing rate for it, even though such endpoint doesn't exist

Is that expected behavior for ZAP API Scanner? What am I doing wrong? How can I achieve the same error as I get in ZAP UI tool when no authorization parameters specified?

[Peter Hauschulz]

Hello!

How are you measuring 'passing rate' exactly?

And what do you mean the ZAP UI 'fails' the active scan? 

[Valeriia]

Hi,

 

By passing rate, I mean the percentage of rules passing. So 100% passing rate is when all 71 rules passed and no issues found and I see that in my console:

PASS: Directory Browsing [0]

PASS: Cookie No HttpOnly Flag [10010]

PASS: Cookie Without Secure Flag [10011]

PASS: Incomplete or No Cache-control and Pragma HTTP Header Set [10015]

PASS: Web Browser XSS Protection Not Enabled [10016]

PASS: Cross-Domain JavaScript Source File Inclusion [10017]

PASS: Content-Type Header Missing [10019]

PASS: X-Frame-Options Header Scanner [10020]

PASS: X-Content-Type-Options Header Missing [10021]

PASS: Information Disclosure - Debug Error Messages [10023]

PASS: Information Disclosure - Sensitive Information in URL [10024]

PASS: Information Disclosure - Sensitive Information in HTTP Referrer Header [10025]

PASS: HTTP Parameter Override [10026]

PASS: Information Disclosure - Suspicious Comments [10027]

PASS: Viewstate Scanner [10032]

PASS: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) [10037]

PASS: Secure Pages Include Mixed Content [10040]

PASS: Source Code Disclosure - /WEB-INF folder [10045]

PASS: Remote Code Execution - Shell Shock [10048]

PASS: Cookie Without SameSite Attribute [10054]

PASS: CSP Scanner [10055]

PASS: X-Debug-Token Information Leak [10056]

PASS: Username Hash Found [10057]

PASS: X-AspNet-Version Response Header Scanner [10061]

PASS: Backup File Disclosure [10095]

PASS: Timestamp Disclosure [10096]

PASS: Cross-Domain Misconfiguration [10098]

PASS: Weak Authentication Method [10105]

PASS: Absence of Anti-CSRF Tokens [10202]

PASS: Private IP Disclosure [2]

PASS: Anti CSRF Tokens Scanner [20012]

PASS: HTTP Parameter Pollution scanner [20014]

PASS: Heartbleed OpenSSL Vulnerability [20015]

PASS: Cross-Domain Misconfiguration [20016]

PASS: Source Code Disclosure - CVE-2012-1823 [20017]

PASS: Remote Code Execution - CVE-2012-1823 [20018]

PASS: External Redirect [20019]

PASS: Session ID in URL Rewrite [3]

PASS: Buffer Overflow [30001]

PASS: Format String Error [30002]

PASS: Integer Overflow Error [30003]

PASS: CRLF Injection [40003]

PASS: Parameter Tampering [40008]

PASS: Server Side Include [40009]

PASS: Cross Site Scripting (Reflected) [40012]

PASS: Session Fixation [40013]

PASS: Cross Site Scripting (Persistent) [40014]

PASS: Cross Site Scripting (Persistent) - Prime [40016]

PASS: Cross Site Scripting (Persistent) - Spider [40017]

PASS: SQL Injection [40018]

PASS: SQL Injection - MySQL [40019]

PASS: SQL Injection - Hypersonic SQL [40020]

PASS: SQL Injection - Oracle [40021]

PASS: SQL Injection - PostgreSQL [40022]

PASS: Possible Username Enumeration [40023]

PASS: Source Code Disclosure - SVN [42]

PASS: Script Active Scan Rules [50000]

PASS: Script Passive Scan Rules [50001]

PASS: Path Traversal [6]

PASS: Remote File Inclusion [7]

PASS: Insecure JSF ViewState [90001]

PASS: Charset Mismatch [90011]

PASS: Server Side Code Injection [90019]

PASS: Remote OS Command Injection [90020]

PASS: XPath Injection [90021]

PASS: Application Error Disclosure [90022]

PASS: XML External Entity Attack [90023]

PASS: Generic Padding Oracle [90024]

PASS: Expression Language Injection [90025]

PASS: Insecure HTTP Method [90028]

PASS: Loosely Scoped Cookie [90033]

FAIL-NEW: 0 FAIL-INPROG: 0 WARN-NEW: 0 WARN-INPROG: 0 INFO: 0 IGNORE: 0 PASS: 71

By ZAP UI fails I mean that when I paste URL to protected endpoint, I see this message below:

[Peter Hauschulz]

Okay, interesting!

Maybe someone who uses the Docker setup more frequently will chime in, but my guess is that it is 'passing' because ZAP is receiving the same 401 page for every one of those tests. (or 404 for when you direct it to a nonexistent endpoint)

The quick scan in the UI will try to spider first, and probably has some kind of 'auto-abort' when it sees that its very first request hits a 401 and therefore can't continue. 

So it does look like they have different default responses and/or handling of an unauthorized endpoint, but zap-api-scan.py is also a very different scan than a Quick Start from the UI. (which is meant for a site URL containing links and resources in the response body)

[Sudhindra G]

Hi - I think you need to use swagger.json format to run the ZAP API scan. Please check if you are getting an exception as below when you run with swagger.yaml:

Number of Imported URLs: 0
 Failed to import any URLs
Traceback (most recent call last):
  File "/zap/zap-api-scan.py", line 397, in main
    raise NoUrlsException()
NoUrlsException

Cheers,

S