Adding Client certificate while scanning APIs through ZAP
821 views
Skip to first unread message
nsingh
Aug 18, 2022, 7:12:08 AM8/18/22
to OWASP ZAP User Group
Hi ,
I am trying to perform API scanning through ZAP (using docker image ) . Currently I am using this command and providing the openApi file. Need to send the certificate for authentication.
docker run --rm -v $(pwd):/zap/wrk/:rw --user root -t owasp/zap2docker-stable:2.11.1 zap-api-scan.py -t http://<BaseUrl>/openapi.json -g gen.conf -f openapi -x OWASP-ZAP-Report.xml -r Outgoing-scan-report.html --hook=/zap/wrk/my-hooks.py
Please let me know how can i pass the certificate.
Simon Bennetts
Aug 18, 2022, 9:28:25 AM8/18/22
to OWASP ZAP User Group
I would definitely recommend getting this working in the ZAP desktop locally first before trying to use it in a packaged scan.
Cheers,
Simon
nsingh
Aug 18, 2022, 10:37:21 AM8/18/22
to OWASP ZAP User Group
Thanks Simon.
The challenge is these API are only exposed from openshift and not accessible from all machines. So i don't have option to test using ZAP desktop.
Thanks,
Neha
Simon Bennetts
Aug 18, 2022, 12:03:10 PM8/18/22
to OWASP ZAP User Group
Hiya Neha,
OK, thats challenging then ;)
But you can test the cmdline options for adding the certificate to ZAP locally, then use them in the environment that you need to use.
Cheers,
Simon
nsingh
Aug 23, 2022, 5:52:43 AM8/23/22
to OWASP ZAP User Group
Hello Simon,
I am trying to create a docker image of zap and trying to add the SSL certificate inside the dockerfile. Can you please let me know what will be the location where i can add the certificate.
Thanks.
Simon Bennetts
Aug 23, 2022, 6:29:21 AM8/23/22
to OWASP ZAP User Group
Hiya Neha,
As per https://www.zaproxy.org/docs/docker/baseline-scan/ we recommend starting the packaged scans using a command starting with "docker run -v $(pwd):/zap/wrk/:rw"
This will map the current working directory to /zap/wrk
I think that docker supports mapping as many directories as you want so you should have a lot of flexibility here.
Cheers,
Simon
Yi SONG
Aug 23, 2022, 11:18:29 AM8/23/22
to OWASP ZAP User Group
Hi,
docker run --network="host" \
-v ~/DAST/:/zap/wrk/:rw \
-t owasp/zap2docker-stable zap-api-scan.py \
-t api.json \
-f openapi \
-z "-config certificate.use=true -config certificate.pkcs12.password={password} -config certificate.pkcs12.index=0 -config certificate.pkcs12.path=/zap/wrk/keyStore.p12" \
-r zapReport.html \
-d
the cmd example working on my side with certificate (P12) is like that. I put the certificate P12 to /DAST/ and you need change the {password} with a good password.
btw, it doesn't support only the cert. you must provide the p12. you can create your p12 from the key and certificate using openssl.
openssl pkcs12 -export -out keyStore.p12 -inkey myKey.pem -in certs.pem
Hope it is helpful.
Best regards,
Yi S.
docker run --network="host" \
-v ~/DAST/:/zap/wrk/:rw \
-t owasp/zap2docker-stable zap-api-scan.py \
-t api.json \
-f openapi \
-z "-config certificate.use=true -config certificate.pkcs12.password={password} -config certificate.pkcs12.index=0 -config certificate.pkcs12.path=/zap/wrk/keyStore.p12" \
-r zapReport.html \
-d
Reply all
Reply to author
Forward
0 new messages