In this blog post, we’ll walk through the process of scanning APIs using ZAP (Zed Attack Proxy) Proxy. ZAP is a popular tool for finding vulnerabilities in web applications during development and testing phases. It’s ideal for developers new to web security and professional penetration testers alike.
Step 1: Login to Your API
The first step is to login to your API. This is typically done by sending a POST request to the login endpoint of your API with the appropriate credentials. The response will usually include an authorization token that you can use for subsequent requests.
Step 2: Write Headers to options.prop File
After logging in, you need to write all the headers in the options.prop file. This file is used by ZAP to replace certain parts of the HTTP requests it sends with the values you specify. Here’s an example of how to format the headers:
properties
-config replacer.full_list(0).description=authorization
-config replacer.full_list(0).enabled=true
-config replacer.full_list(0).matchtype=REQ_HEADER
-config replacer.full_list(0).matchstr=authorization
-config replacer.full_list(0).regex=false
-config replacer.full_list(0).replacement=’bearer <token>’
In this example, we’re replacing the authorization request header with the bearer token we received when we logged in. Replace <token> with your actual token.
Step 3: Run ZAP from Docker Container
Now that we have our `options.prop` file set up, we can run ZAP. We’ll use a Docker container for this, specifically the `softwaresecurityproject/zap-stable` image. This image comes with ZAP pre-installed and ready to use.
Here’s the command to run ZAP from the Docker container:
docker run softwaresecurityproject/zap-stable python3 /zap/zap-api-scan.py -t swagger.yaml -J dast-report.json -d -r dast-report.html -I -S -f openapi -z options.prop
This command tells ZAP to:
- Use the `swagger.yaml` file as the target for the scan.
- Generate a JSON report (`dast-report.json`).
- Generate an HTML report (`dast-report.html`).
- Ignore any ‘unscannable’ issues.
- Treat the target as an OpenAPI (Swagger) definition.
- Use the `options.prop` file for request replacements.
Integrating with GitHub Actions
Here’s an example of how you can set up a GitHub Actions workflow to automatically run a ZAP scan whenever code is pushed to your repository:
name: ZAP Scan
on: [push]
jobs:
zap_scan:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Run ZAP Scan
run: |
docker run softwaresecurityproject/zap-stable python3 /zap/zap-api-scan.py -t swagger.yaml -J dast-report.json -d -r dast-report.html -I -S -f openapi -z options.prop
ZAP will now scan your API and generate reports detailing any security issues it finds. Remember, automated tools like ZAP can’t find every possible issue, so manual code review and testing is still important. But ZAP can give you a good starting point and help catch common issues.