API testing/scanning, which does not have any endpoint definitions

80 views
Skip to first unread message

Orsolya Kerner

unread,
Jan 25, 2021, 2:54:40 AM1/25/21
to OWASP ZAP User Group
Happy Monday Everyone,

I have a REST API which does not have any endpoint definitions like Swagger, and I can not create the list of endpoints because there are some complicated endpoints (for example with authentication etc...) so I could not describe them in a simple text file. 

I would like to scan/test this API in the gitlab CI/CD.

Which is the best practice for it?

Thank you,
Orsolya

eri...@augment1security.com

unread,
Jan 25, 2021, 3:15:05 AM1/25/21
to OWASP ZAP User Group
Hi Orsolya,

May I suggest manual exploration using Postman for those undocumented api endpoints? - https://augment1security.com/api-scanning/how-to-proxy-postman-via-zap-manual-api-exploring/

and after the endpoints have been listed in the site tree, you can then export them out as described here - https://www.zaproxy.org/docs/desktop/ui/tlmenu/report/ under the "Export URLs for Context" section for later import into Zap during the CI/CD process.

Best Regards,
Eric W.
Blog: https://augment1security.com/blog/
Twitter: @aug1sec
Facebook: https://www.facebook.com/aug1sec


Orsolya Kerner

unread,
Jan 25, 2021, 3:41:04 AM1/25/21
to OWASP ZAP User Group
Hi Eric,

Thank you for your answer. 

I tried it and the manual exploration by Postman worked for me and I could export the urls for Context from ZAP desktop ui, but the text file includes only the urls and the other parameters (for example authentication header etc.. and authentication header is not necessary for all requests only for some) not so if I will import into Zap during CI/CD probably it will not work properly.

Bet Regards,
Orsolya

Simon Bennetts

unread,
Jan 25, 2021, 4:26:08 AM1/25/21
to OWASP ZAP User Group
You can inject the authentication header into the requests in various ways, assuming that you have a way to generate a valid one.
Does it matter if its used with all requests or does it have to be absent from some?
Do you have any egression tests that drive the API, if so can you proxy those via ZAP?

Cheers,

Simon

Orsolya Kerner

unread,
Jan 25, 2021, 5:08:18 AM1/25/21
to OWASP ZAP User Group
Hi Simon,

Thank you. Yes, I know some ways to inject the authentication header into requests, but I could use it for only some requests.
Unfortunately there are not regression tests for the API, but this is good idea to collect the urls via ZAP proxy.

Thanks,
Orsolya

Reply all
Reply to author
Forward
0 new messages