What is the difference between scanning a web app vs an API?
167 views
Skip to first unread message
Denis Putnam
Apr 28, 2023, 3:02:46 PM4/28/23
to OWASP ZAP User Group
I am looking at ZAP API PYTHON and I am confused to how this differs from running a spider and ascan for a Web App. Can someone give me a high level explanation of the difference and why I need the openAPI and soap plugins?
What is in the .json files for the examples given in Exploring APIs with ZAP and why are the needed? Are there any tutorials on these .json files and what need to be defined in them?
print zap._request(
zap.base + 'openapi/action/importFile/',
{'file':'/home/user/openapi.json'})
print zap._request(
zap.base + 'openapi/action/importUrl/',
{'url':'https://localhost/openapi.json'})
print zap._request(
zap.base + 'soap/action/importFile/',
{'file':'/home/user/soap.xml'})
print zap._request(
zap.base + 'soap/action/importUrl/',
{'url':'https://localhost/soap.xml'})
zap.base + 'openapi/action/importFile/',
{'file':'/home/user/openapi.json'})
print zap._request(
zap.base + 'openapi/action/importUrl/',
{'url':'https://localhost/openapi.json'})
print zap._request(
zap.base + 'soap/action/importFile/',
{'file':'/home/user/soap.xml'})
print zap._request(
zap.base + 'soap/action/importUrl/',
{'url':'https://localhost/soap.xml'})
Simon Bennetts
May 2, 2023, 6:24:00 AM5/2/23
to OWASP ZAP User Group
One of the big problems with scanning web apps (including APIs) is how to explore them.
If you cant explore an app efferctively then you cannot attack it effectively.
If you have a web app designed for humans to use then the best option is to use a human to explore it, manually.
Obviously thats not good for automation, so we provide the 2 spiders:
- The traditional spider is fast but doesnt not understand JavaScript so is not so good for 'modern' web apps
- The AJAX spider launches browsers which handle JavaScript but is slower than the traditional spider.
However if you have a web app which is designed for other services (ie APIs) rather than humans then the spiders are typically not so useful.
APIs do not typically provide a UI that humans or the spiders can use to explore them.
Instead APIs are typically defined using definitions like:
- OpenAPI
- SOAP
- GraphQL
If you have these definitions then you can import them into ZAP as a much more effective way of exploring your API.
Does that make sense?
Cheers,
Simon
Denis Putnam
May 4, 2023, 3:36:02 PM5/4/23
to OWASP ZAP User Group
Thank you Simon,
So how do I construct the API definitions? We use POSTMAN. If I export a collection, can that be used as an OpenAPI target api definition? If not, can you guide me on what needs to be in the .json file?
Sincerely,
Denis
Simon Bennetts
May 5, 2023, 4:57:01 AM5/5/23
to OWASP ZAP User Group
Hi Denis,
I beleive Postman can export API definitions, but I havnt actually used it.
I suggest checking their docs :)
Cheers,
Simon
Denis Putnam
May 12, 2023, 2:17:27 PM5/12/23
to OWASP ZAP User Group
I figured out how to create an openapi target file from POSTMAN.
1. Export your collection in POSTMAN, by clicking on the "..." on the collection. This produces a json file, but it is not in the correct format.
2. Got to https://www.workversatile.com/postman-to-swagger and copy/past the code from exported collection .json file and convert it to yaml. Convert postman collection to yaml.
3. Got to https://onlineyamltools.com/convert-yaml-to-json to convert yaml to json. Convert yaml to json
I am not sure but I believe you can use the .yaml as the -t switch, otherwise use the json file from step 3.
Denis Putnam
May 12, 2023, 2:20:14 PM5/12/23
to OWASP ZAP User Group
I see I misspelled things. Got should be Go.
Reply all
Reply to author
Forward
0 new messages