ZAP REST API EndPoint Test
1,373 views
Skip to first unread message
Nick Manfreda
Apr 20, 2017, 6:53:09 PM4/20/17
to OWASP ZAP User Group
How can you test a rest api endpoint using zap?
Simon Bennetts
Apr 21, 2017, 3:57:58 AM4/21/17
to OWASP ZAP User Group
The first thing to do is make sure you can explore them effectively.
If they are defined using SOAP or OpenAPI/Swagger then you're in luck - I've recently written a blog about how you can explore those with ZAP: https://zaproxy.blogspot.com/2017/04/exploring-apis-with-zap.html
If they dont have any definition then you'll need to proxy a client through ZAP and explore them via actual use (application, regression tests, manual)
Once you have explored them then you can use the active scanner, but many of the rules are really aimed at web apps rather than APIs.
I'm hoping to address that in the near future.
You can also use manual features like the fuzzer.
Cheers,
Simon
If they are defined using SOAP or OpenAPI/Swagger then you're in luck - I've recently written a blog about how you can explore those with ZAP: https://zaproxy.blogspot.com/2017/04/exploring-apis-with-zap.html
If they dont have any definition then you'll need to proxy a client through ZAP and explore them via actual use (application, regression tests, manual)
Once you have explored them then you can use the active scanner, but many of the rules are really aimed at web apps rather than APIs.
I'm hoping to address that in the near future.
You can also use manual features like the fuzzer.
Cheers,
Simon
Hari S
Nov 27, 2017, 3:40:02 AM11/27/17
to OWASP ZAP User Group
Hi Simon,
I followed this https://zaproxy.blogspot.com/2017/04/exploring-apis-with-zap.html and explored the REST API, and have scanned the URL by going through the sites and right clicking the Active Scan.
But i am little confused as always returned the error message, ofcourse i need to pass the authentication process but want to know how this can be achieved and the report too.
Thanks,
Hari
Simon Bennetts
Nov 27, 2017, 3:59:42 AM11/27/17
to OWASP ZAP User Group
What error message?
You might like to also have a look at this blog post, as it covers active scanning and authentication for REST APIs: https://zaproxy.blogspot.com/2017/06/scanning-apis-with-zap.html
Cheers,
Simon
You might like to also have a look at this blog post, as it covers active scanning and authentication for REST APIs: https://zaproxy.blogspot.com/2017/06/scanning-apis-with-zap.html
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages