automate scan for a REST API with HTTPS integration tests, without Swagger/OpenAPI/GraphQL

[tapp...@yahoo.it]

Hi there,

I am trying to automate a ZAP scan for a REST API that does not provide a Swagger, OpenAPI or GraphQL specification.

Ideally active scan, but passive scan fine as a starting point.

I have some Node.js Javascript integration tests that are executed as a command and involve HTTPS requests to this REST API.

The closest I got to some automated process is via the command "proxychains" (sudo apt install proxychains4) to divert the HTTP traffic from these Node.js integration tests to the ZAP GUI.

I made sure I added "http 127.0.0.1 8080" (the host/port where the ZAP GUI is listening) to "/etc/proxychains.conf".

This is the command: "NODE_TLS_REJECT_UNAUTHORIZED='0' proxychains4 npm run my-integration-test"

However, the output I see in the Alert tab for the ZAP GUI should come from a command like the docker container instead.

I need to take the exit code of this hypothetical command like "echo $?" and make sure there are no errors - this way I can drive a CI (Continuous Integration) job to show red/green with logs.

I know the Continuous Integration automation can be done with the ZAP docker container, but that needs to see some Swagger, OpenAPI or GraphQL specification that I cannot provide.

When I invoke "docker run -t owasp/zap2docker-stable zap-baseline.py -t http://my_rest_api_without_open_api_config.org", then nothing shows up in the output.

The ZAP Full Scan here needs Swagger or OpenAPI: https://github.com/zaproxy/zaproxy/blob/main/docker/zap-full-scan.py

Is there a way to automate the process with the Node.js integration tests combining them to some sort of ZAP command line thing?

Either Docker or anything else that does not involve human interaction like the ZAP GUI.

I installed ZAP 2.9.0 via snap on Linux like this:

$ snap find zaproxy

Name     Version  Publisher  Notes    Summary

zaproxy  2.9.0    psiinon    classic  OWASP ZAP, a tool for finding vulnerabilities in web applications

$ snap install zaproxy --classic

zaproxy 2.9.0 from Simon Bennetts (psiinon) installed

Thank you

[Simon Bennetts]

Hiya,

First of all we only support the latest version of ZAP which is 2.10.0. Unfortunately we havnt been able to release a snap of this due to some technical problems we've encountered :(

However that doesnt really matter if you use the docker image, which is the option I suggest you take.

The packaged API scan is only if you have an OpenAPI, SOAP or GraphQL definition, which you dont have.

Instead you should use the full scan.

You will need to start ZAP on a specific port and make sure it can proxy traffic from outside of the docker container.

The related ZAP FAQ is https://www.zaproxy.org/faq/how-can-i-connect-to-zap-remotely/

You should test this out before trying to use the full scan.

Once you have that working then you can run the full scan and specify the -D flag - set a value that is longer than your tests take.

ZAP will then try to spider your app (and probably not get very far) and then wait - this is when you run your unit tests proxying them through ZAP.

If you dont like the idea of just waiting then you could write a scan hook which can interact with your unit test harness in some way, eg via a URL interface or a shared file.

Does that all make sense?

Cheers,

Simon

[tapp...@yahoo.it]

Hi Simon, thanks for that - quite close to what I am trying to achieve.

It makes sense however I am a bit lost in the details.

1. Am I correct assuming I should run the docker container for ZAP in detached mode as a standalone process that is listening to HTTP traffic that proxychains is intercepting from my Node.js process? Is this the -D flag? Is that flag a docker flag or a ZAP flag?

2. Let's say the Node.js process runs in the same machine as the Docker daemon - should I add those properties as localhost "-config api.addrs.addr.name=localhost" and modify the docker image to append those to the ZAP command? Is there a way to do this at runtime without touching the docker image?

On a different strategy, let's say I:

- can forge an authentication token that I could inject as an HTTP header

- can also provide a list of URLs with query parameters to be checked e.g. host: https://my_api_site.org/my_path with query parameters "id=1..10" and "value=foo|bar|baz"

I can see from the ZAP GUI that I could provide some Alert filters that seem to be a good candidate for some sort of template I could pass as a command line parameter to the ZAP command in docker - is this or anything near possible at all?

Cheers