Scanning APIs with OWASP ZAP

Like Nikto, a generic automated OWASP ZAP scan will run into the same problems with false-negative findings. However, you can configure a ZAP scan to better work with web APIs. The first thing that we will do is run an unauthenticated scan of the attack surface. We can plug in the target URL, but to improve these results and to make sure we hit everything, we can import the target's API specification file.

You can do this by selecting import and choosing the relevant specification file. For crAPI, select the specs.yml file that we made when reverse engineering crAPI and make sure to add the URL that you are expecting (http://crapi.apisec.ai or http://127.0.0.1:8888).

After adding the file path and target URL select import. Now you can see the Sites window filled with the target's endpoints and API requests.

You can right-click on the root, in this instance http://crapi.apisec.ai, and choose to do an active scan. Once this scan completes you can find the results under the Alerts tab. Here you will typically find security misconfiguration affecting the target host.

The next step that you can take to improve the scan results is to perform authenticated scanning. The easiest way to perform authenticated scanning is to use the Manual Explore option.

Set the URL to your target, make sure the HUD is enabled, and choose "Launch Browser".

Once you choose to manually explore, you should see the HUD launch in a browser. Here you can select "Continue to your target". Similar, to the work we did during the "Reverse Engineering APIs" module, we will go through and use the web application as an end-user.

Perform all of those actions again. Sign up for another account, sign in, and use the various features. Make sure to use the HUD to perform certain actions. At the top left of the HUD, you can add your target to the scope of testing. Once you have authenticated to the app and performed a baseline set of actions you can perform an active scan.

On the right-hand side of the HUD, you can set the Attack Mode to On. This will begin scanning and performing authenticated testing of the target. Depending on the scale of the web application that you are targeting, this scan could take a while.

As you can see above, there are many more interesting findings than the initial generic scan that was run. From here you should investigate the results. Work through them and determine which are actual findings and which are false positives. One important thing to note is that crAPI is vulnerable to all of the OWASP API Security Top 10. Based on the current findings from scanning we can see that Security Misconfigurations and Injection vulnerabilities may be present. Even with authenticated scanning, we are missing many of the other vulnerabilities present in the app, which is why we will need to build out additional testing techniques in upcoming modules. Next, we will focus our testing efforts on the top two OWASP API Security Top 10 topics, authentication, and authorization.