API - Scanning

[Dhimant Shah]

Hi, 

   I am performing API Scanning using ZAP using docker by below command 

 — docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-weekly zap-api-scan.py -a -c zap_config_file -t openapi.yaml -f openapi -r security_report_2.html….

The above scanning provides high level issues in API. 

Now I need to understand if I need to perform fuzzing  and more detail penetration testing on API based on each 

- Post Request using Payload and header

- get Request based on query parameter and header 

Can someone help on how I need to proceed further 

[Simon Bennetts]

We can not tell you what you "need" to do as that all depends on your requirements.

An automated scan using a tool like ZAP is a great way to find a range of vulnerabilities, however it will not be as effective as a manual test performed by a skilled and experienced pentester. The latter will of course cost a non trivial amount of money.

Cheers,

Simon

[Jonathan Patton]

Good morning, I am building the same thing. New to OWASP Zap here but am running it in the same configuration as you. One thing I'm working on is trying to get the developer who wrote the apis to put the api definitions out there where I can pull them dynamically as a url. If your API changes, which developers do from time to time, then you will need to re-download your api definition. From the security bugs depend upon how strongly typed their language is. The api may handle incorrect data okay recognizing it's not numeric, etc. So I say that to say that you could put lots of data into your payload but it may easily handle that like a champ. It really depends on who the developer was. I would almost try manually with Postman first and see what type of response you get. Manual testing is going to be more complex but you can then perform tests such as Broken Object Authorization tests, etc. because you can interpret the data being returned.

As a side question, did you put authentication values into your zap_config_file? I am wondering where to store those.

Thanks,

[Dhimant Shah]

Thanks Simon for response.....

The current scanning i have done is without specifying the Authentication as well Request Payload .... I am bit confused as how ZAP is able to perform active scan without Authentication. 

In my API each endpoint requires API KEY or Token and i have not provided still ZAP is able to scan it .......

Further more this API are Backend API .... So my question is if i need to find more vulnerabilities in MY api what are the next step 

[Dhimant Shah]

I have not specified but you can use options.prop and use replacer functionality ....also if u have only one header and value then create ZAP Configuration file and call it -z 

[Simon Bennetts]

Well, this is why its helpful to include more info rather than less in your first post :P

Your first post said nothing about authentication.

If you have not configured ZAP to handle it then ZAP should just be doing an authenticated scan, which is probably of little use unless your apps authentication is completely broken.

Configuring ZAP to handle auth would be a very good next step: https://www.zaproxy.org/docs/authentication/

Cheers,

Simon

[Dhimant Shah]

Thanks Simon ... I added options.prop with the header which is API Key .... What i have observed the results of scanning are same with or without options.prop.

Also one more thing i am using replacer to add the header values ... and in API spec we have same header value with different value ... 

I am not able to configure that using replacer 

docker run -v$(pwd):/zap/wrk/:rw -t owasp/zap2docker-weekly zap-api-scan.py  -t <<swagger file>> -f openapi  -z "-config/zap/wrk/options.prop"  -r webchat_security_transcript_report.html

The above command picks up details from option.prop  ...however no change in output using authentication or without authentication

Thanks

Dhimant Shah  

[Simon Bennetts]

Hi Dhimant,

I dont know exactly what you've specified in your options.prop file but I dont think thats going to work.

Are you trying to use the authentication env vars?

If so then you need to set them as standard OS env vars - in docker you do this via the docker "-e" or "--env" options.

Cheers,

Simon

[Dhimant Shah]

Hi Simon,

  I am using the replacer functions as mention in 

    https://www.zaproxy.org/blog/2017-06-19-scanning-apis-with-zap/#command-line-options and the command is 

docker run -v$(pwd):/zap/wrk/:rw -t owasp/zap2docker-weekly zap-api-scan.py  -t <<swagger file>> -f openapi  -z "-configfile /zap/wrk/options.prop"  -r webchat_security_transcript_report.html

Sample options.prop file 

**********************************************

-config replacer.full_list\\(0\\).description=auth1 \   -config replacer.full_list\\(0\\).enabled=true \   -config replacer.full_list\\(0\\).matchtype=REQ_HEADER \   -config replacer.full_list\\(0\\).matchstr=Authorization \   -config replacer.full_list\\(0\\).regex=false \   -config replacer.full_list\\(0\\).replacement=123456789 \   -config replacer.full_list\\(1\\).description=auth2 \   -config replacer.full_list\\(1\\).enabled=true \   -config replacer.full_list\\(1\\).matchtype=REQ_HEADER \   -config replacer.full_list\\(1\\).matchstr=AnotherHeader \   -config replacer.full_list\\(1\\).regex=false \   -config replacer.full_list\\(1\\).replacement=abcdefghi 

**********************************************

Will above command uses the options.prop to perform authenticated scan correct ?

Thanks

Dhimant Shah

[Simon Bennetts]

Hi Dhimant,

Thats not the right format for the file.

See the example on https://www.zaproxy.org/faq/how-do-you-find-out-what-key-to-use-to-set-a-config-value-on-the-command-line/ which is actually for the replacer :)

Cheers,

Simon

[Dhimant Shah]

Thanks Simon 

I have used conf file with replacer within it ... and command used is 

 docker container run -v $(pwd):/zap/wrk/:rw owasp/zap2docker-stable zap-api-scan.py -t <<filename>>.yml -f openapi -d -z "-configfile /zap/wrk/conf" -r webchat_transcript_prop.html

The active scan is performed but there is no difference with above file or not 

Example conf file 

"replacer.full_list(0).description=auth1 replacer.full_list(0).enabled=true replacer.full_list(0).matchtype=REQ_HEADER replacer.full_list(0).matchstr=Authorization replacer.full_list(0).regex=false replacer.full_list(0).replacement=SBSBSB replacer.full_list(1).description=auth2 replacer.full_list(1).enabled=true replacer.full_list(1).matchtype=REQ_HEADER replacer.full_list(1).matchstr=AnotherHeader replacer.full_list(1).regex=false replacer.full_list(1).replacement=BLAHBLAH"

Not sure whether it is taking the values 

Thanks

Dhimant Shah

[Simon Bennetts]

Hi Dhimant

The easiest way to test if something is working in ZAP is to use the ZAP desktop - you can start that with the config file you've created.

If thats not an option for you then see this FAQ: https://www.zaproxy.org/docs/docker/diagnosing-problems/

Cheers,

Simon

[Dhimant Shah]

Thanks Simon 

I have gone through the diagnose and I have found following issue in ZAP .log 

Command Used : 

docker container run -v $(pwd):/zap/wrk/:rw owasp/zap2docker-weekly zap-api-scan.py -t transcriptWebchat.yml -f openapi -r webchat_transcript_prop.html -z "-configfile /zap/wrk/config.xml -dir /zap/wrk"

Errors : 

[ZAP-cfu] WARN  ExtensionCallHome - Certificate chain may be invalid. Are you using a corporate or intermediate proxy? Is its CA certificate in your Java truststore?

ERROR ExtensionCallHome - PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

If I just perform basic curl on below example.com website I get below mention issue

- docker run -t owasp/zap2docker-stable curl https://www.example.com 

- curl: (60) SSL certificate problem: unable to get local issuer certificate

Thanks

Dhimant Shah

[Simon Bennetts]

Did you read the error messages? :)

"Certificate chain may be invalid. Are you using a corporate or intermediate proxy? Is its CA certificate in your Java truststore?"

[Dhimant Shah]

Hi Simon,

   We cannot execute the ZAP via our local machine however we can execute via build tool like Jenkins or Git-CI...

   I have done 

   however ever i m getting following 4 issues 

   First Issue : 

   - Import warnings: [‘Failed to access URL] : Request Time out 

   - zap_common.ScanNotStartedException

   - [ZAP-ProxyThread-10] WARN  org.zaproxy.zap.extension.api.API - Bad request to API endpoint [/JSON/ascan/action/scan/]

the command used for this is 

docker run -v $PWD:/zap/wrk/:rw -t owasp/zap2docker-stable zap-api-scan.py -t transcriptWebchat.yml -f openapi -r webchat_security_transcript_report.html -d -z "-config script.scripts.name=httpAuthentication -config script.scripts.engine='Oracle Nashorn' -config script.scripts.type=httpsender -config script.scripts.enabled=true -config script.scripts.file=/zap/wrk/httpAuthentication.js -dir /zap/wrk/"

Thanks

Dhimant Shah  

[Simon Bennetts]

We have a page just for this case: https://www.zaproxy.org/docs/docker/diagnosing-problems/

Cheers,

Simon