Scan rules executed by zap-api-scan.py

[Salvatore Patti]

Hi,

I am performing an API-Scan using the zap-api-scan.py as suggested here: https://www.zaproxy.org/docs/docker/api-scan/

It is not clear to me how I can customize what scans are being executed.

For example, I would like to include the Log4Shell Active Rule.

I tried to generate a configuration using the "-g" parameter, and then I added a line "40043 - Log4Shell" but it didn't work.

I tried to modify the API-Minimal.policy file, adding a <p40043>... and rebuild the docker image myself,;this also didn't work, as it seems to me that the API-Minimal.policy is just ignored by the script.

Thank you for any help,

BR,

Salvatore

[Simon Bennetts]

Hi Salvatore

The Log4Shell rule requires an OAST service to be configured: https://www.zaproxy.org/blog/2021-12-14-log4shell-detection-with-zap/

If that is not configured then the rule will be ignored.

Cheers,

Simon

[Salvatore Patti]

Hi Simon,

thank you for your answer.

The Log4Shell was actually a bad example, the main question is how do I modify the set of rules used by the zap-api-scan.py

I added a rule (90034) in the API-Minimal.policy file, rebuilt the Docker image and it worked.

Is this the supposed way to do it? I didn't find any documentation about it.

BR,

Salvatore