List of vulnerabilities that ZAP API scanner can scan
43 views
Skip to first unread message
Ruchira Sahan
Sep 23, 2021, 1:34:35 AM9/23/21
to OWASP ZAP User Group
Hi,
Does anyone have a list of vulnerabilities that ZAP API scanner can scan for? I have tried searching for it but there isn't much information available on the internet about API scanning.
Thanks
Does anyone have a list of vulnerabilities that ZAP API scanner can scan for? I have tried searching for it but there isn't much information available on the internet about API scanning.
Thanks
Simon Bennetts
Sep 23, 2021, 4:07:17 AM9/23/21
to OWASP ZAP User Group
Well, in this case it helps if you know how to read a bit of code, even if you cant program :)
The script is called "zap-api-scan" so search for that here: https://github.com/zaproxy/zaproxy/ (you may need to be logged in). For some reason "zap-api-scan.py" doesnt find anything :/
You'll find the script is here: https://github.com/zaproxy/zaproxy/blob/main/docker/zap-api-scan.py
If you read the script you'll find it uses a scan policy called "API-Minimal" by default.
It also adds a couple of scripts.
The scripts are here: https://github.com/zaproxy/zaproxy/tree/main/docker/scripts/scripts/httpsender
And the policy is defined here: https://github.com/zaproxy/zaproxy/blob/main/docker/policies/API-Minimal.policy
To find what the IDs in the policy refer to take off the initial "p" and look for them here: https://www.zaproxy.org/docs/alerts/
Sorry we dont have a simple list for you :)
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages