OWASP ZAP OpenAPI Vulnerability Scanning
1,164 views
Skip to first unread message
Bob
Nov 20, 2017, 12:15:59 AM11/20/17
to OWASP ZAP User Group
Hi Guys,
I have encountered in a weird problem.
First, I have installed the add-ons in OWASP ZAP GUI by Manage Add-ons icon > Marketplace tab > install OpenAPI Support and SOAP Scanner.
Secondly, I opened my browser and visit localhost:8080/UI/, then click on openapi. Finally, I have selected the importURL (url* hostOverride), the fill out the form with asterisk as below:
I have encountered in a weird problem.
First, I have installed the add-ons in OWASP ZAP GUI by Manage Add-ons icon > Marketplace tab > install OpenAPI Support and SOAP Scanner.
Secondly, I opened my browser and visit localhost:8080/UI/, then click on openapi. Finally, I have selected the importURL (url* hostOverride), the fill out the form with asterisk as below:
I have replaced the API KEY with the api key which copied from OWASP ZAP GUI > Tools > Option > API tab > API Key.
Furthermore, I have replaced the TARGET URL with my web application's url.
Then I click on the importURL button, the result as below, it's pretty weird, the entry is null:
Any advise for this situation? Thanks in advance for any help and suggestion.
Best regards,
Bob
Bob
Nov 20, 2017, 1:37:52 AM11/20/17
to OWASP ZAP User Group
Remark:
I would like to testing my web application with ZAP API, and I have tried OpenAPI and SOAP, POST and GET. The browser always returned {"Result":"OK"} or above result. Any advice? :(
Best regards,
Bob
Simon Bennetts
Nov 20, 2017, 3:57:45 AM11/20/17
to OWASP ZAP User Group
Hi Bob,
Have you looked at the help that comes with the add-on - available via the help file and also online here: https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsOpenapiOpenapi
The URL needs to be an OpenAPI definition - is that what you are supplying to the API?
Cheers,
Simon
Have you looked at the help that comes with the add-on - available via the help file and also online here: https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsOpenapiOpenapi
The URL needs to be an OpenAPI definition - is that what you are supplying to the API?
Cheers,
Simon
Bob
Nov 27, 2017, 1:58:26 AM11/27/17
to OWASP ZAP User Group
Hi Simon,
Thanks for your reply, can OWASP ZAP import the REST API definition?
Best regards,
Bob
Simon Bennetts
Nov 27, 2017, 4:01:29 AM11/27/17
to OWASP ZAP User Group
ZAP can import REST APIs defined in SOAP or OpenAPI/Swagger.
Whether it can import your API I cant tell as I dont have access to it :)
Try it and see?
You need to supply the URL of the API definition.
Cheers,
Simon
Whether it can import your API I cant tell as I dont have access to it :)
Try it and see?
You need to supply the URL of the API definition.
Cheers,
Simon
Bob
Nov 28, 2017, 10:28:56 PM11/28/17
to OWASP ZAP User Group
Hi Simon,
I've reply your advice privately, if you can't receive the private reply, please let me know, thank you :)
Best regards,
Bob
Bob
Dec 4, 2017, 11:20:43 PM12/4/17
to OWASP ZAP User Group
Hi Simon,
I'm testing a web application with OWASP ZAP. I need to sign in as the system user so that I can access the whole system, otherwise, I can only scan the login page, and the scan will be finished within 5 mins.
So, here is the problem, the web application has CAPTCHA on login page to mitigate attack, we can create a demo testing environment (without CAPTCHA) or remove the CAPTCHA for OWASP ZAP's scanning, but we can't do this now. So we prepare use apikey to login the web application directly.
My environment and operation process as below:
My OS is Windows 7 SP1, 64 bit, 8GB RAM, I have installed the VirtualBox on my computer and added two virtual machine as below:
Environment 1: Ubuntu 16.04 LTS, 3GB RAM, 30GB Storage, 2 Core; ZAP 2.6.0
Environment 2: Kali GNOME 3.26.2, 4GB RAM, 20GB Storage, 2 Core; ZAP 2.7.0
I have installed the OWASP ZAP on Ubuntu by myself, and the Kali has preinstalled the ZAP (it's amazing).
I have replaced some privacy parameters in the following procedures, hopefully you can get my point, and sorry for my bad English.
0. The default browser Firefox has proxy by ZAP, http://127.0.0.1:8080
1. Open the OWASP ZAP and terminal.
2. Create a new session.
3. Execute the command line in terminal curl -x http://127.0.0.1:8080 -d "apikey=MyApiKey&userid=TheUserName&password=TheUserPassword" http://TheUrlOfMyApiLogin/
4. Terminal returned the following info: {"message":"Invalid%20Login","result":false} (sometimes, the result can be true, and returned with a Token:XXXXXXX, but the scan result is no difference :( so sad)
5. Back to the ZAP, I can see the path (i.e. http://TheUrlOfMyApiLogin) in Sites tab. The end path is POST:PartOfMyUrl(apikey,password,userid)
6. Then I right click the top node of my url and Included in New Context.
7. Right click the node of point 5, and Flag as Context
8. Then I selected the userid and password as the login parameters.
9. I didn't Flag Any Code as Context Logged In/Out Indicator.
10. Open the Session Properties, and add a new user in User section, meanwhile, Enable this user.
11. Go to Forced User section, and selected the user I just added in User section. Save the configuration.
12. Right click the top node of my url, and select Attack > Active Scan.
13. Start the scan.
After overview the scan result and request history, I know this api login is failed.
Could you help me figure out the problem? Thanks in advance.
Best regards,
Bob
I'm testing a web application with OWASP ZAP. I need to sign in as the system user so that I can access the whole system, otherwise, I can only scan the login page, and the scan will be finished within 5 mins.
So, here is the problem, the web application has CAPTCHA on login page to mitigate attack, we can create a demo testing environment (without CAPTCHA) or remove the CAPTCHA for OWASP ZAP's scanning, but we can't do this now. So we prepare use apikey to login the web application directly.
My environment and operation process as below:
My OS is Windows 7 SP1, 64 bit, 8GB RAM, I have installed the VirtualBox on my computer and added two virtual machine as below:
Environment 1: Ubuntu 16.04 LTS, 3GB RAM, 30GB Storage, 2 Core; ZAP 2.6.0
Environment 2: Kali GNOME 3.26.2, 4GB RAM, 20GB Storage, 2 Core; ZAP 2.7.0
I have installed the OWASP ZAP on Ubuntu by myself, and the Kali has preinstalled the ZAP (it's amazing).
I have replaced some privacy parameters in the following procedures, hopefully you can get my point, and sorry for my bad English.
0. The default browser Firefox has proxy by ZAP, http://127.0.0.1:8080
1. Open the OWASP ZAP and terminal.
2. Create a new session.
3. Execute the command line in terminal curl -x http://127.0.0.1:8080 -d "apikey=MyApiKey&userid=TheUserName&password=TheUserPassword" http://TheUrlOfMyApiLogin/
4. Terminal returned the following info: {"message":"Invalid%20Login","result":false} (sometimes, the result can be true, and returned with a Token:XXXXXXX, but the scan result is no difference :( so sad)
5. Back to the ZAP, I can see the path (i.e. http://TheUrlOfMyApiLogin) in Sites tab. The end path is POST:PartOfMyUrl(apikey,password,userid)
6. Then I right click the top node of my url and Included in New Context.
7. Right click the node of point 5, and Flag as Context
8. Then I selected the userid and password as the login parameters.
9. I didn't Flag Any Code as Context Logged In/Out Indicator.
10. Open the Session Properties, and add a new user in User section, meanwhile, Enable this user.
11. Go to Forced User section, and selected the user I just added in User section. Save the configuration.
12. Right click the top node of my url, and select Attack > Active Scan.
13. Start the scan.
After overview the scan result and request history, I know this api login is failed.
Could you help me figure out the problem? Thanks in advance.
Best regards,
Bob
Message has been deleted
Bob
Dec 4, 2017, 11:38:18 PM12/4/17
to OWASP ZAP User Group
Regarding to the point 4, sometimes, the result as below:
{"message":"","result":true,"token":"TheTokenString...","url":"/"}
The scan result is the same with above ( while the result is {"message":"Invalid%20Login","result":false})
Besides, the Forced User Mode is disabled, the locker icon is unlocked.
Best regards,
Bob
{"message":"","result":true,"token":"TheTokenString...","url":"/"}
The scan result is the same with above ( while the result is {"message":"Invalid%20Login","result":false})
Besides, the Forced User Mode is disabled, the locker icon is unlocked.
Best regards,
Bob
kingthorin+owaspzap
Dec 5, 2017, 4:43:19 AM12/5/17
to OWASP ZAP User Group
If you haven't set a logged in or out identifier ZAP has no way of knowing the authentication state of the session. You must configure at least one of them.
Bob
Dec 5, 2017, 9:52:20 PM12/5/17
to OWASP ZAP User Group
Hi Kingthorin,
Thanks for your reply. I can set a Logged in Indicator when I'm using the normal way as below:
1. Proxy the Firefox (http://127.0.0.1:8080)
2. Open ZAP
3. Open my web application in the Firefox
4. The ZAP will record the requests and response
5. Login the web application
5. Login the web application
6. Back to ZAP and find the response after I have logged in
7. Highlight the logged in indicator
But since my web application requires the CAPTCHA verification, I can't authenticate by above method. I'm using another way to carry out the authentication: post the api login url with the apikey and login information. Just like the point 3 I'm described:
"3. Execute the command line in terminal curl -x http://127.0.0.1:8080 -d "apikey=MyApiKey&userid=TheUserName&password=TheUserPassword" http://TheUrlOfMyApiLogin/"
The output of above command line as below (i.e. point 4):
"4. Terminal returned the following info: {"message":"Invalid%20Login","result":false} (sometimes, the result can be true, and returned with a Token:XXXXXXX, but the scan result is no difference :( so sad)"
Regarding to the point 4, sometimes, the result as below:
{"message":"","result":true,"token":"TheTokenString...","url":"/"}
{"message":"","result":true,"token":"TheTokenString...","url":"/"}
The output (response) are highlighted as red color. I don't know how or where to indicate the Logged in Indicator. (So sad again) It's different with the normal way.
Maybe I have missed some procedures when processing the authentication? Or I have using the wrong method? Sorry for my bad English and if you have any doubtful place regarding to my process, please tell me, I'll try to describe it in detailed.
Best regards,
Bob
Reply all
Reply to author
Forward
0 new messages