OWASP Zed Attack Proxy (ZAP) is an open-source tool for security testing, penetration testing (pen tests) with many features like API scan, full web scan, baseline scan.
The example below will show steps to run API scan using the headless version (docker)
1. prepare your header configuration, e.g., authorization, access token by creating file "options.prop" with this content
replacer.full_list(0).description=access token
replacer.full_list(0).enabled=true
replacer.full_list(0).matchtype=REQ_HEADER
replacer.full_list(0).matchstr=access-token
replacer.full_list(0).regex=false
replacer.full_list(0).replacement=xxx
replacer.full_list(1).description=another header
replacer.full_list(1).enabled=true
replacer.full_list(1).matchtype=REQ_HEADER
replacer.full_list(1).matchstr=another-header
replacer.full_list(1).regex=false
replacer.full_list(1).replacement=yyy
The sample above assume that your APIs have these 2 headers
- key: access-token value: xxx
- key: another-header value: yyy
2. run this command to start API scan
docker run -t --rm \
-v $(pwd):/zap/wrk/:rw owasp/zap2docker-weekly zap-api-scan.py \
-t api.yaml -f openapi -r report.html \
-z "-configfile /zap/wrk/options.prop"
Note that
- api.yaml is your swagger file
- owasp/zap2docker-weekly is the docker image weekly build, you can change to stable or daily build version
- report.html is the reporting file after scanning success
You can file more details here.
ไม่มีความคิดเห็น:
แสดงความคิดเห็น