Zap Proxy
Zap (Zed Attack Proxy) is one open source tool to to web and api scanner.
The pentesting process is the following:
- Explore: Allow to discover endpoints
- Attack: Allow to atack the api and get the vulnerabilites
- Report: Common report to view the result
When you are trying to atack an API, the explore can be:
- Brute-force attack. ZAP tries to discover the endpoints using one url.
- Import API Definition: This is a critical step for modern APIs. ZAP can ingest API definitions in various formats like OpenAPI (Swagger), GraphQL, or WSDL. Importing the definition file gives ZAP a map of all the API endpoints, parameters, and methods. This greatly accelerates the discovery and attack phases. You can do this via the ZAP UI by navigating to “Import” or by using the API add-on
- Configure ZAP as a Proxy: First, set up your API client (e.g., Postman, a browser with an extension like FoxyProxy, or a command-line tool like
curl) to route all its traffic through ZAP. The default ZAP proxy address islocalhost:8080.
It’s important to understand what policies are within OWASP ZAP. A policy is a configuration that defines exactly which rules are run during an active scan. Rules are the individual checks that ZAP performs to find vulnerabilities.
Policies control three main aspects of a scan:
The Rules: Policies dictate which specific scanner rules are enabled or disabled for a given scan. This allows you to tailor the scan to the target application.
Alert Threshold: This setting controls the minimum confidence level required for a rule to raise an alert. Adjusting this can reduce false positives.
Attack Strength: This parameter determines how many requests each rule will send, which can be adjusted to balance the depth of the scan with the potential impact on the target.
Recommended API Policy
For scanning APIs, the API Policy is the recommended choice. This specialized policy is pre-configured to focus on vulnerabilities that are most relevant to APIs, such as insecure direct object references, and avoids checks that are typically only applicable to traditional web UIs (e.g., cross-site scripting). Using a targeted policy like this ensures a more efficient and relevant security scan.
Configure zap proxy APIOps life of cycle (CI/CD)
Zap proxy can be used in two manners:
- Directly using the zap-client. It’s not offical (https://github.com/Grunny/zap-cli)
- Using docker. You must to use the official image: (https://github.com/zaproxy/zaproxy
Now, we will view some requests using the docker:
- Import openapi: “curl “http://zap:8080/JSON/openapi/action/importFile/?file=$(pwd)/$APIQ_API_FILENAME&target=${APIQ_ZAP_TARGET_URL}&apikey=$ZAP_API_KEY”
- Import scan policy: “http://zap:8080/JSON/ascan/action/importScanPolicy/?path=${ZAP_POLICY_FILE}&apikey=$ZAP_API_KEY”
- Scan : “curl “http://zap:8080/JSON/ascan/action/scan/?url=${APIQ_ZAP_TARGET_URL}&policyName=${APIQ_ZAP_POLICY_NAME// /%20}&apikey=$ZAP_API_KEY” | jq -r ‘.scan'”
Zap in APIquality
API Quality allows you to configure your API Ops (CI/CD) pipeline to execute a comprehensive security and quality scan with a single click. By simply enabling a stage, the entire API Ops configuration is automatically set up, streamlining your workflow.
You only need to select the desired policy and immediately receive your results
Do you want to do pen-testing easily?