Issue with zap api scan when using swagger

67 views
Skip to first unread message

Nenad Borovcanin

unread,
Apr 12, 2024, 7:20:24 AMApr 12
to ZAP User Group
Hey guys,
I am working on a PoC of the Zap cli api scanner that I want to integrate into the pipeline.

My idea is to have a swagger file that will be the source of the endpoints that should be tested, and zap.yaml config used to set some kind of rules for testing. The scan should perform authenticated API endpoint tests.

Right now I am facing some issues, and I was not able to find proper docs/tutorials on how to setup this.

This is my folder structure:

├── README.md
├── swagger.yaml
└── zap.yaml

swagger.yaml is copied from my web app
zap.yaml should be configured to load the swagger file and specify some hardcoded access tokens and cookies that are used for authentication. It should also be configured to test only the contacts endpoints as they are the most basic ones for this PoC.

The command that I am using to run the scan is: 
docker run -v $(pwd):/zap/wrk/:rw -t softwaresecurityproject/zap-stable zap-api-scan.py -t swagger.yaml -f openapi -c zap.yaml -z -r report.html

After running this command from the root of the folder mentioned above - I am getting the following error message:

Failed to load config file /zap/wrk/zap.yaml Unexpected number of tokens on line - there should be at least 3, tab separated: openapi:

It indicates that YAML is not well structured.
I have tried multiple ways of formatting the YAML of both files, but the error is still the same.
I have also tried to create more simple YAMLs which again resulted in the same error

Do you have any suggestions on how to fix this? Or some docs on how to implement more complicated scans like I would like to perform (I was not able to find any detailed docs on this topic)

Thanks in advance!
The content of zap.yaml is in the attachment

zap.yaml

Simon Bennetts

unread,
Apr 16, 2024, 9:08:57 AMApr 16
to ZAP User Group
The -c option does not accept a YAML file.

Cheers,

Simon

Nenad Borovcanin

unread,
Apr 17, 2024, 10:37:30 AMApr 17
to ZAP User Group
Thank you for letting me know.
After some digging, I have one more question

Do you suggest this approach (creating a script that will use ZAP API) https://www.zaproxy.org/docs/api/#using-active-scan for my needs:

- I want to integrate Zap active scan against my APIs within the pipeline
- I will spin up in docker an instance of my app (API) 
- I need to import endpoints from the Swagger file
- I need a configuration where I can set what APIs should be tested and what APIs need to be skipped
- I need to add a header and query param to each request made to an API (that is the way of authentication in my API)

Will above-mentioned approach support all of this?


Thanks once more!

Simon Bennetts

unread,
Apr 22, 2024, 7:35:27 AMApr 22
to ZAP User Group
I would recommend using the Automation Framework (AF) for this: https://www.zaproxy.org/docs/getting-further/automation/automation-options/#automation-framework
Note that the AF just handles the ZAP configuration, you will need something else to record and control which APIs need to be tested.

Cheers,

Simon
Reply all
Reply to author
Forward
0 new messages