Pages

Pages

03 ธันวาคม 2563

Security test, penetration test (pen test) your API using OWASP Zed Attack Proxy (ZAP)

OWASP Zed Attack Proxy (ZAP) is an open-source tool for security testing, penetration testing (pen tests)  with many features like API scan, full web scan, baseline scan.

The example below will show steps to run API scan using the headless version (docker)

1. prepare your header configuration, e.g., authorization, access token by creating file "options.prop" with this content

replacer.full_list(0).description=access token

replacer.full_list(0).enabled=true

replacer.full_list(0).matchtype=REQ_HEADER

replacer.full_list(0).matchstr=access-token

replacer.full_list(0).regex=false

replacer.full_list(0).replacement=xxx

replacer.full_list(1).description=another header

replacer.full_list(1).enabled=true

replacer.full_list(1).matchtype=REQ_HEADER

replacer.full_list(1).matchstr=another-header

replacer.full_list(1).regex=false

replacer.full_list(1).replacement=yyy

The sample above assume that your APIs have these 2 headers

- key: access-token  value: xxx

- key: another-header value: yyy


2. run this command to start API scan

docker run -t --rm \
-v $(pwd):/zap/wrk/:rw owasp/zap2docker-weekly zap-api-scan.py \
-t api.yaml -f openapi -r report.html \
-z "-configfile /zap/wrk/options.prop" 

Note that

- api.yaml is your swagger file

- owasp/zap2docker-weekly is the docker image weekly build, you can change to stable or daily build version

- report.html is the reporting file after scanning success

You can file more details here.












ไม่มีความคิดเห็น:

แสดงความคิดเห็น