scan Rest api with xml payload

[Kineye]

I currently need to scan a rest api with an xml payload, I have mad a list of urls for the api scan to interact with but I don't know how to best scan it. It is not currently possible to change the api from xml to json. Do i just set Soap as the api type due to the xml or is there a better workaround?

[psiinon]

So you have to use an XML payload in order to attack (part of) your app?

Are any XML requests made when you explore your app in ZAP?

Is so then you should be good - ZAP should recognise the XML and attack your app via the XML tags and attributes.

You can test this in the ZAP GUI by selecting one of the requests with XML data and performing an active scan on just that request.

Have a look through the requests ZAP makes and you will hopefully see those attacks.

If not then your best option is to make some suitable test XML requests as part of your exploring.

Exploring your app effectively is key.

Theres not really much point in ZAP blindly sending XML/JSON payloads to every endpoint if finds.

However if it sees structured data being sent then it will be able to attack your app via payloads in structured data.

Does that make sense?

Cheers,

Simon

On Mon, Aug 28, 2023 at 3:26 PM Kineye <janikjd...@gmail.com> wrote:

I currently need to scan a rest api with an xml payload, I have mad a list of urls for the api scan to interact with but I don't know how to best scan it. It is not currently possible to change the api from xml to json. Do i just set Soap as the api type due to the xml or is there a better workaround?

--
You received this message because you are subscribed to the Google Groups "ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/ae672aed-dfeb-41f1-8f85-0e81b99c9e17n%40googlegroups.com.

--

ZAP Project leader

[Kineye]

Thanks for the response Simon

Sorry for not mentioning this before but this (part) is an API only application. Therefore exploration is not possible unless you mean copy and pasting into the requester. Or is there another possibility to explore apis which I am not aware of?
 I have checked the requests Zap made but there is no xml payload present in any of the requests. I specified the openapi.json in the scan which should normally be enough for zap to know what request to send and what urls exist. So with this openapi description it wouldn't be blindly sending requests, since this is the whole construction plan for the whole api. Or is the Openapi specification limited to json payload requests?

Thanks in advance   

[psiinon]

See https://github.com/zaproxy/zaproxy/issues/6767 :/

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/a6370335-8302-435f-8ffd-9db6ee2461bfn%40googlegroups.com.

--

ZAP Project leader

[Kineye]

Thanks for the help :)