Scanning APIs with OWASP ZAP
Importing API Specification in OWASP ZAP
Open OWASP ZAP and select the "Import" option.
Import API Specification Choose the relevant API specification file (e.g., specs.yml) for crAPI and provide the target URL (http://crapi.apisec.ai or http://127.0.0.1:8888).
Specify File and URL After adding the file path and target URL, select "Import." The Sites window will now display the target's endpoints and API requests.
Sites Window Right-click on the root (e.g., http://crapi.apisec.ai) and choose to perform an active scan. Results will be available under the Alerts tab.
Perform Active Scan
Authenticated Scanning with Manual Explore
Improve scan results by performing authenticated scanning using the Manual Explore option.
Manual Explore Set the URL to the target, enable the HUD, and choose "Launch Browser."
Launch Browser The HUD will launch in a browser. Select "Continue to your target" and use the web application as an end-user.
HUD Browser Perform actions such as signing up, signing in, and using various features. Use the HUD to perform actions and add the target to the scope.
Add to Scope On the right side of the HUD, set Attack Mode to On. This initiates scanning and authenticated testing of the target.
Attack Mode On The scan may take a while depending on the web application's scale. Review the results under the Alerts tab.
Scan Results Investigate the findings and differentiate between actual vulnerabilities and false positives. Note that crAPI exhibits vulnerabilities from the OWASP API Security Top 10, including Security Misconfigurations and Injection..
Last updated
Was this helpful?