Scanning APIs with OWASP ZAP

Importing API Specification in OWASP ZAP

  1. Open OWASP ZAP and select the "Import" option.

  2. Choose the relevant API specification file (e.g., specs.yml) for crAPI and provide the target URL (http://crapi.apisec.ai or http://127.0.0.1:8888).

  3. After adding the file path and target URL, select "Import." The Sites window will now display the target's endpoints and API requests.

  4. Right-click on the root (e.g., http://crapi.apisec.ai) and choose to perform an active scan. Results will be available under the Alerts tab.

Authenticated Scanning with Manual Explore

  1. Improve scan results by performing authenticated scanning using the Manual Explore option.

  2. Set the URL to the target, enable the HUD, and choose "Launch Browser."

  3. The HUD will launch in a browser. Select "Continue to your target" and use the web application as an end-user.

  4. Perform actions such as signing up, signing in, and using various features. Use the HUD to perform actions and add the target to the scope.

  5. On the right side of the HUD, set Attack Mode to On. This initiates scanning and authenticated testing of the target.

  6. The scan may take a while depending on the web application's scale. Review the results under the Alerts tab.

  7. Investigate the findings and differentiate between actual vulnerabilities and false positives. Note that crAPI exhibits vulnerabilities from the OWASP API Security Top 10, including Security Misconfigurations and Injection..

PreviousOWASP API TOP 10 MindMapNextWeb-AppSec

Last updated