rules for DAST api scans?
522 views
Skip to first unread message
Sang Nguyen
Mar 29, 2022, 3:48:39 PM3/29/22
to OWASP ZAP User Group
Can someone help me understand rules for DAST api scans?
I'm getting these warns from my run:
zap-api | WARN-NEW: Unexpected Content-Type was returned [100001] x 42
zap-api | http://myapp:3000/1433505641256985611 (404 Not Found)
zap-api | http://myapp:3000/api-docs/5885434942162376492 (404 Not Found)
zap-api | http://myapp:3000/api-docs/v3/3547039842195983285 (404 Not Found)
zap-api | http://myapp:3000 (200 OK)
zap-api | http://myapp:3000/api-docs/v3 (404 Not Found)
zap-api | WARN-NEW: X-Content-Type-Options Header Missing [10021] x 1
zap-api | http://myapp:3000/openapi.yaml (200 OK)
zap-api | WARN-NEW: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) [10037] x 1
zap-api | http://myapp:3000/api/v1/myservice (200 OK)
zap-api | FAIL-NEW: 0 FAIL-INPROG: 0 WARN-NEW: 3 WARN-INPROG: 0 INFO: 0 IGNORE: 0 PASS: 112
zap-api | http://myapp:3000/1433505641256985611 (404 Not Found)
zap-api | http://myapp:3000/api-docs/5885434942162376492 (404 Not Found)
zap-api | http://myapp:3000/api-docs/v3/3547039842195983285 (404 Not Found)
zap-api | http://myapp:3000 (200 OK)
zap-api | http://myapp:3000/api-docs/v3 (404 Not Found)
zap-api | WARN-NEW: X-Content-Type-Options Header Missing [10021] x 1
zap-api | http://myapp:3000/openapi.yaml (200 OK)
zap-api | WARN-NEW: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) [10037] x 1
zap-api | http://myapp:3000/api/v1/myservice (200 OK)
zap-api | FAIL-NEW: 0 FAIL-INPROG: 0 WARN-NEW: 3 WARN-INPROG: 0 INFO: 0 IGNORE: 0 PASS: 112
For the first one, Unexpected Content-Type was returned, what content-type is expected here? Is there a way to change the expected content-type?
For X-Content-Type-Options Header Missing, I changed my response headers to purposefully return X-Powered-By to test. I would expect a Fail here instead of a Warn.
Sang Nguyen
Mar 29, 2022, 3:50:00 PM3/29/22
to OWASP ZAP User Group
I'm running zap-api-scan.py from owasp/zap2docker-weekly
Simon Bennetts
Mar 30, 2022, 4:12:53 AM3/30/22
to OWASP ZAP User Group
Hiya,
The output from the packaged scans is deliberately very terse and often does not contain enough information to diagnose and fix an alert.
Use one of the reporting options to get more details, or perform a scan using the ZAP desktop locally.
Cheers,
Simon
thc...@gmail.com
Mar 30, 2022, 4:48:48 AM3/30/22
to zaprox...@googlegroups.com
Also, whether the result is a fail or warn depends on the config you are
using:
https://www.zaproxy.org/docs/docker/baseline-scan/#configuration-file
Best regards.
using:
https://www.zaproxy.org/docs/docker/baseline-scan/#configuration-file
Best regards.
thc...@gmail.com
Mar 30, 2022, 4:53:53 AM3/30/22
to zaprox...@googlegroups.com
For the expected content types see:
https://github.com/zaproxy/zaproxy/blob/5f3f92e0c0c468276a2e840760d867d12f07662f/docker/scripts/scripts/httpsender/Alert_on_Unexpected_Content_Types.js#L13-L26
You can map your own script to override them, or disable the script
(e.g. using scan hook) if you don't want those checks.
Best regards.
https://github.com/zaproxy/zaproxy/blob/5f3f92e0c0c468276a2e840760d867d12f07662f/docker/scripts/scripts/httpsender/Alert_on_Unexpected_Content_Types.js#L13-L26
You can map your own script to override them, or disable the script
(e.g. using scan hook) if you don't want those checks.
Best regards.
Sang Nguyen
Mar 30, 2022, 3:57:12 PM3/30/22
to OWASP ZAP User Group
So according to the github link, application/json is an expected content type, but when I run my test, I'm seeing that one of the links the test is complaining about is indeed returning application/json.
zap-api | WARN-NEW: Unexpected Content-Type was returned [100001] x 12
zap-api | http://myapp:3000/4399453482045733027 (404 Not Found)
zap-api | http://myapp:3000/api-docs/6548592302736285942 (404 Not Found)
zap-api | http://myapp:3000/api-docs/v3/9064040495925796763 (404 Not Found)
I added a curl inside my docker-compose file to my service. Command: bash -c "curl -i http://myapp:3000/api-docs/v3"
HTTP/1.1 404 Not Found
zap-api | Content-Type: application/json; charset=UTF-8
zap-api | X-Request-Id: 0981863d-ab00-428a-b0fb-050af0f14378
zap-api | X-Runtime: 0.082726
zap-api | Content-Length: 6207
> You can map your own script to override them, or disable the script
(e.g. using scan hook) if you don't want those checks.@thc202: do you have an example of how I can disable the content type check using scan hooks?
Simon Bennetts
Mar 31, 2022, 4:40:45 AM3/31/22
to OWASP ZAP User Group
Just because curl gets the right Content-Type it doesnt mean that ZAP also did.
As I said before, the summaries are deliberately terse.
I still recommend you generate a report and then you will be able to see the response that ZAP gets.
If that response has the right Content-Type then let us know as that implies theres a bug in that ZAP rule.
Cheers,
Simon
Sang Nguyen
Mar 31, 2022, 10:33:43 AM3/31/22
to OWASP ZAP User Group
Simon,
Getting the report really helps. The scanner tells me it's picking up text/html. Can you show me how I can disable this Unexpected Content-Type scan? thc202 above mentions that I can use scan hooks, but I'm not entirely sure which hook to use or what should even be in my python script. Since the rule-id is 100001, could I just add 100001 OUTOFSCOPE (Unexpected Content Type) to my config file?
Simon Bennetts
Apr 5, 2022, 9:22:33 AM4/5/22
to OWASP ZAP User Group
Have you tried turning it off via the config file?
Vasyl D
Oct 25, 2023, 6:35:08 AM10/25/23
to ZAP User Group
is there an understandding form where this endpoints with strange numbers are taken? I.e. above
http://myapp:3000/4399453482045733027
4399453482045733027 where is it taken from?
4399453482045733027 where is it taken from?
Thanks in advance!
Simon Bennetts
Oct 25, 2023, 10:56:01 AM10/25/23
to ZAP User Group
Reply all
Reply to author
Forward
0 new messages