Wanting to attack different api's with single docker command

[Yash Pamnani]

So i'm new to owasp zap and i was trying to test the api using owasp zap docker. 

i tried using 

https://github.com/zaproxy/zap-api-python/blob/master/src/examples/zap_example_api_script.py

where i made my own hook defined my own target and aditional api url and change few configuration deleted the configuration not needed for project.

i used this command : docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable zap-baseline.py \

    -t <api-url> -z -config api.key=<somekey i put inside zap.py> -r testreport.html --hook=zap.py 

but im getting this error : 

requests.exceptions.ProxyError: HTTPConnectionPool(host='0.0.0.0', port=8098): Max retries exceeded with url: http://zap/JSON/core/action/loadSession/?name=Apisession&apikey=<key> (Caused by ProxyError('Cannot connect to proxy.', NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7fe172aae790>: Failed to establish a new connection: [Errno 111] Connection refused')))

The firewall is off so i dont think that is an issue. 

[Simon Bennetts]

The first thing to do is to work out if its a network issue or a ZAP problem.

The easiest way to do that is by using another command, like curl.

Run the following command, replacing https://www.example.com with your target:

docker run -t owasp/zap2docker-stable curl https://www.example.com

Does that work?

Cheers,

Simon

[Yash Pamnani]

yup that works , i just used it and curl gives proper response from api

[Simon Bennetts]

Ah, I've just noticed the error was when connecting to the API rather than the target system ;)

What happens if you _dont_ set an API key?

Does it work then?

[Yash Pamnani]

docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable zap-baseline.py -t <api-url>  -r testreport.html --hook=zap.py
 so  i tried this command not defining the api key , still the same error.

[Simon Bennetts]

Have a look in the zap.log file.

The easiest way to do this is to start an interactive bash shell and run the baseline scan from that. Then you can access the zap.log file in ~/.ZAP/zap.log

[Yash Pamnani]

Just opened the docker bash and to the surprise there is no log file inside the docker

[Simon Bennetts]

If you've only just opened the docker instance then there wont be a zap.log file - thats created when you run ZAP.

You will get a new docker instance everytime you perform a 'docker run'

[Yash Pamnani]

how do i use the same docker instance?

[Simon Bennetts]

Hang on, I've just noticed something...

You said you are using:

• docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable zap-baseline.py \
      -t <api-url> -z -config api.key=<somekey i put inside zap.py> -r testreport.html --hook=zap.py 

Is that right?

Is the <api-url> you are specifying your target application or the ZAP API?

It should be your target app :)

[Yash Pamnani]

yeah it is my target application that i enter in that url space , also i tried to go inside the docker and run the python script manually it didnt generate a log file 

[Simon Bennetts]

OK, so start a bash shell in docker:

• docker run -v $(pwd):/zap/wrk/:rw -i -t owasp/zap2docker-stable bash

Then run the baseline scan without the hook:

• ./zap-baseline.py -t <api-url> -r testreport.html

Does that work?

If not have a look at the zap.log file:

• cat ~/.ZAP/zap.log

If it does work then run it with the hook:

• ./zap-baseline.py -t <api-url> -r testreport.html --hook=zap.py

Does that work?

If not have a look at the zap.log file:

• cat ~/.ZAP/zap.log

[Yash Pamnani]

tried the first one without hook didnt return the result so i tried with full-scan instead of baseline and then it tested just fine , it created the log. But the 2nd one with hook didnt return anything and the same error

i have multiple api like /api/id /api/places but i have to run it one at a time for each api with different html result for every api , I want something that can run all my multiple api's and return one result , so i can pass those result to the developers.

[Simon Bennetts]

It strange / interesting that the first one without the hook didnt return - did it just hang? How long did you leave it?

Try running it again with the "--autooff" option to see if the Automation Framework is causing a problem.

[Yash Pamnani]

yeah with --autooff the baseline returns the result

[Yash Pamnani]

but without autooff it shows this : Using the Automation Framework
Automation plan failures:
        Job spider failed to access URL <url> status code returned : 404 expected 200
2022-01-27 11:33:25,932 Failed to access summary file /home/zap/zap_out.json

[Simon Bennetts]

OK, so it would have saved some time if you'd mentioned that important error!

The problem is that the target url is returning a 404 so the spider isnt running.

I'm a bit surprise the baseline scan runs against it with "--autooff" but its probably not doing anything really useful ;)

[Yash Pamnani]

so any solution on how i can automate my multiple api?

[Simon Bennetts]

The packaged scans are not designed to handle multiple targets.

The full set of recommended automation options are given on https://www.zaproxy.org/docs/automate/

The "mass baseline" is a set of scripts for running the baseline against a set of targets: https://github.com/zaproxy/community-scripts/tree/main/api/mass-baseline

This is no longer maintained but could still be useful for you.

If you dont fancy rolling your own solution then there are a set of open source and commercial products that might help you: https://www.zaproxy.org/third-party-services/

[Yash Pamnani]

Oh, Ill sure check it out. 
Thank you for all the help. Appreciate it :)