Scanning APIs with OWASP ZAP

Importing API Specification in OWASP ZAP

1. Open OWASP ZAP and select the "Import" option.

   

   Import API Specification
2. Choose the relevant API specification file (e.g., specs.yml) for crAPI and provide the target URL (http://crapi.apisec.ai or http://127.0.0.1:8888).

   

   Specify File and URL
3. After adding the file path and target URL, select "Import." The Sites window will now display the target's endpoints and API requests.

   

   Sites Window
4. Right-click on the root (e.g., http://crapi.apisec.ai) and choose to perform an active scan. Results will be available under the Alerts tab.

   

   Perform Active Scan

Authenticated Scanning with Manual Explore

1. Improve scan results by performing authenticated scanning using the Manual Explore option.

   

   Manual Explore
2. Set the URL to the target, enable the HUD, and choose "Launch Browser."

   

   Launch Browser
3. The HUD will launch in a browser. Select "Continue to your target" and use the web application as an end-user.

   

   HUD Browser
4. Perform actions such as signing up, signing in, and using various features. Use the HUD to perform actions and add the target to the scope.

   

   Add to Scope
5. On the right side of the HUD, set Attack Mode to On. This initiates scanning and authenticated testing of the target.

   

   Attack Mode On
6. The scan may take a while depending on the web application's scale. Review the results under the Alerts tab.

   

   Scan Results
7. Investigate the findings and differentiate between actual vulnerabilities and false positives. Note that crAPI exhibits vulnerabilities from the OWASP API Security Top 10, including Security Misconfigurations and Injection..