Security Testing of Rest APIs using OWASP ZAP

[Rahul]

I want to test the APIs for the vulnerabilities. How can i use OWASP ZAP for security testing of REST APIs? 

[Simon Bennetts]

This is a good place to start: https://zaproxy.blogspot.com/2017/06/scanning-apis-with-zap.html

[John Underatker]

Can i test the REST APIs too in the mentioned way? Is there any guide for the same

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/8148e630-2695-4214-8660-bcf1d38d7d52%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Simon Bennetts]

Yes, that covers testing REST APIs, and that _is_ the guide :)

Are you having problems testing them?

If so let us know more details.

On Thursday, 6 September 2018 06:45:51 UTC+2, Rahul wrote:

Can i test the REST APIs too in the mentioned way? Is there any guide for the same

On Wed, Sep 5, 2018 at 6:00 PM Simon Bennetts <psi...@gmail.com> wrote:

This is a good place to start: https://zaproxy.blogspot.com/2017/06/scanning-apis-with-zap.html

On Wednesday, 5 September 2018 14:24:51 UTC+2, Rahul wrote:

I want to test the APIs for the vulnerabilities. How can i use OWASP ZAP for security testing of REST APIs? 

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-users+unsubscribe@googlegroups.com.

[hauschu...@gmail.com]

For anything that seems to be missing on that page, this one has some good information on importing definitions for scanning into a regular instance of ZAP. (it's also referenced on the page Simon sent!)

https://zaproxy.blogspot.com/2017/04/exploring-apis-with-zap.html 

[John Underatker]

I am testing the APIs on localhost. When i change the proxy settings in ZAP I can see it being set as proxy through SOAPUI that ZAP is working as proxy but the the settings are not working on Chrome.
I tried changing the proxy Settings too.
Though I see ZAP is pointing to localhost that i am testing on in the tree view.
How can i validate that the browser settings are perfect to go ahead and What should be the further steps? 
It must be a tough job explaining me about this
But I am just putting a step forward to learn this interesting stuff 

On Thu, Sep 6, 2018 at 4:53 PM <hauschu...@gmail.com> wrote:

For anything that seems to be missing on that page, this one has some good information on importing definitions for scanning into a regular instance of ZAP. (it's also referenced on the page Simon sent!)

https://zaproxy.blogspot.com/2017/04/exploring-apis-with-zap.html 

--

You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/259a0536-3144-4f6c-a5e5-45534edcd52d%40googlegroups.com.

[hauschu...@gmail.com]

As I understand it, your setup is:

Chrome -> ZAP -> SOAPUI

Is that correct?

And what are you seeing on Chrome? Is it a certificate error? 

(I would test the setup by just doing normal web-browsing first to make sure everything is ok)

Also, in the Chrome settings there is usually a checked box for 'bypass proxy for local address' and when you point it to ZAP it's important to make sure it is UNCHECKED

[kingthorin+owaspzap]

Chrome probably has a "No proxy for" setting that includes 127.0.0.1 and localhost by default.

[John Underatker]

When i apply the proxy settings:
POSTMAN and all other API Testing tool give me Bad Request response code 
So ZAP is working as proxy.
But when i hit the end-points i cannot see them reflected in the tree view of zap. What am i missing that the end-points are not reflected ?
And regarding the flow: I am trying to get end-points reflected through  (Any API Testing tool)----> ZAP Tree View

On Fri, Sep 7, 2018 at 12:10 PM kingthorin+owaspzap <kingt...@gmail.com> wrote:

Chrome probably has a "No proxy for" setting that includes 127.0.0.1 and localhost by default.

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/b567aa60-befc-49c4-85fa-1010138efe83%40googlegroups.com.

[hauschu...@gmail.com]

Ah ok!

Can you include a screen capture of your POSTMAN proxy settings, and the content of the Bad Request response?

[John Underatker]

Content of response body: Bad Format 

Also point to note is after doing the proxy setting in firefox, i can see that the zap detects the http:detectportal.firefox.com but in my case i need the REST API Endpoints to reflect in ZAP to go ahead with the scanning.

I really appreciate the quick responses. Kudos and more power to you (y)

On Fri, Sep 7, 2018 at 2:59 PM <hauschu...@gmail.com> wrote:

Ah ok!

Can you include a screen capture of your POSTMAN proxy settings, and the content of the Bad Request response?

--

You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/8352e43e-cb79-41f1-9eff-86ff884b3951%40googlegroups.com.

[John Underatker]

Following error is received:

Could not get any response

There was an error connecting to ...........

Why this might have happened:

• The server couldn't send a response:

  Ensure that the backend is working properly
• Self-signed SSL certificates are being blocked:

  Fix this by turning off 'SSL certificate verification' in Settings > General
• Proxy configured incorrectly

  Ensure that proxy is configured correctly in Settings > Proxy
• Request timeout:

  Change request timeout in Settings > General

[thc...@gmail.com]

> Self-signed SSL certificates are being blocked

Did you changed the referenced option? ZAP uses self signed certificates.

Best regards.

On 07/09/18 10:50, John Underatker wrote:
> Following error is received:
> Could not get any response
> There was an error connecting to ...........
> Why this might have happened:
>

> - The server couldn't send a response:

> Ensure that the backend is working properly

> - Self-signed SSL certificates are being blocked:
> Fix this by turning off 'SSL certificate verification' in *Settings >
> General*
> - Proxy configured incorrectly
> Ensure that proxy is configured correctly in *Settings > Proxy*
> - Request timeout:
> Change request timeout in *Settings > General*

>
>
> On Fri, Sep 7, 2018 at 3:13 PM John Underatker <johnunder...@gmail.com>
> wrote:
>
>> Content of response body: Bad Format
>> [image: image.png]
>> Also point to note is after doing the proxy setting in firefox, i can see
>> that the zap detects the http:detectportal.firefox.com but in my case i
>> need the REST API Endpoints to reflect in ZAP to go ahead with the scanning.
>>
>> I really appreciate the quick responses. Kudos and more power to you (y)
>>
>> On Fri, Sep 7, 2018 at 2:59 PM <hauschu...@gmail.com> wrote:
>>
>>> Ah ok!
>>>
>>> Can you include a screen capture of your POSTMAN proxy settings, and the
>>> content of the Bad Request response?
>>>
>>> --
>>> You received this message because you are subscribed to the Google Groups
>>> "OWASP ZAP User Group" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an
>>> email to zaproxy-user...@googlegroups.com.
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/zaproxy-users/8352e43e-cb79-41f1-9eff-86ff884b3951%40googlegroups.com

>>> <https://groups.google.com/d/msgid/zaproxy-users/8352e43e-cb79-41f1-9eff-86ff884b3951%40googlegroups.com?utm_medium=email&utm_source=footer>
>>> .

[John Underatker]

I just changed the proxy settings in ZAP and POSTMAN to point at port that i am testing on.

I have not generated the certificate through ZAP. I am testing the APIs on localhost network. 

I also tried to uncheck the SSL certificate verification in POSTMAN but it didn't worked.

Thanks

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/570e7390-3d7d-1101-2e84-82fe5dedb7f7%40gmail.com.

[thc...@gmail.com]

The proxy settings in ZAP should not be changed, unless you need to
connect to an outgoing proxy (which does not seem to be the case).

Could you provide more details about the configurations in ZAP? Which
port is ZAP listening?

Best regards.

[hauschu...@gmail.com]

Ok, I hope I understand this correctly!

Your setup:

POSTMAN (sends traffic to 127.0.0.1 port 4000) -> ZAP (listens to traffic on 127.0.0.1 port XXXX, sends traffic to 127.0.0.1 port YYYY) -> local API (listens to traffic on 127.0.0.1 on port YYYY)

For it to work as I understand, ZAP needs to be configured to listen to port 4000 (tools/options/local proxies) BUT that port must be different from YYYY (which is already used by the local API)

like THC said, I would leave ZAP on the default setting 127.0.0.1:8080, point POSTMAN to that exclusively, leave your local API on whatever other port you like and let ZAP handle the rest!

[John Underatker]

while(1){

//Thanks

}
Thank-you everyone. I was able to see the request in the tree but is that enough to scan the vulnerability or i have to work with different parameters also for the request.
To put it correctly:
If i have 5 GET and 5 POST request:
So just getting this end-points available for scanning in ZAP is enough or the next request needs to be managed with extracted values of the response of previous request etc..?

--

You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/735af3d2-a4d1-4caf-bc09-4cef6363c6df%40googlegroups.com.

[hauschu...@gmail.com]

I would point ZAP active scan at the top portion of the tree you want to test, and let it go to work! 

Then look at the results when it is done and browse through the requests it was making to see if there are any parameters that it didn't recognize as potential inputs, or any tokens that need to be handled, special areas you want to focus on, etc. (also go through all the alerts and try to manually confirm or deny)

In general, once the requests are in the tree, ZAP has a pretty good idea what it is looking for! :)

[Omer Z.]

You could use Zaproxy to do this via the cli. The packaged API scan can be a good start for this.

https://github.com/zaproxy/zaproxy/wiki/ZAP-API-Scan

Please reply if you need some clarification.

Op woensdag 5 september 2018 14:24:51 UTC+2 schreef Rahul: