stackoom
  简体   繁体   中英

Scanning Rest API's through OWASP zap inside a docker environment

 原文  2019-01-08 15:26:10       docker/ owasp/ zap

Question

I set an Azure devops CI/CD build that will start a vm where Owasp Zap is running as a proxy and where the Owasp zap Azure devops task will run on a target url and copy my report in an Azure Storage.

Followed this guy's beautiful tutorial: https://kasunkodagoda.com/2017/09/03/introducing-owasp-zed-attack-proxy-task-for-visual-studio-team-services/ (also the guy who created the Azure devops task)

All well and good but recently I wanted to use an REST Api as a target url. The Owasp zap task in azure devops doesn't have the ability. Even asked the creator ( https://github.com/kasunkv/owasp-zap-vsts-task/issues/30#issuecomment-452258621 ) and he also didn't think this is available through the Azure devops task and only through docker.

On my next quest I am now trying to get it running inside a docker image. (Firstly inside Azure devops but that wasn't smooth https://github.com/zaproxy/zaproxy/issues/5176 ) And finally getting on this tutorial ( https://zaproxy.blogspot.com/2017/06/scanning-apis-with-zap.html )

Where I am trying to run a docker image with the following steps:

--- docker pull owasp/zap2docker-weekly

--running the container

-------command : docker run -v ${pwd}:/zap/wrk/:rw -t owasp/zap2docker-weekly zap-api-scan.py -t https://apiurl/api.json -f openapi -z "-configfile /zap/wrk/options.prop " 

------- options.prop file
  -config replacer.full_list\(0\).description=auth1 \
  -config replacer.full_list\(0\).enabled=true \
  -config replacer.full_list\(0\).matchtype=REQ_HEADER \
  -config replacer.full_list\(0\).matchstr=Authorization \
  -config replacer.full_list\(0\).regex=false \
  -config replacer.full_list\(0\).replacement=Bearer xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

But This scans only the root url not every URL. As I am typing this question i tried to download the json file from the root and running the docker run command with passing the json file with the -t I am getting number of imported url's : what seems to be everything. But this seems to freeze inside powershell.

Which step do i miss to get a full recursive scan on my rest api ? Any one some ideas or some help pls ?

1 answers

solution1
 1 ACCPTED  2019-01-17 17:50:55

Firstly, your property file format is wrong. You only need the '-config' and '\\'s if you set the options directly on the command line. In the property file you should have: 

replacer.full_list(0).description=auth1
replacer.full_list(0).enabled=true
replacer.full_list(0).matchtype=REQ_HEADER
replacer.full_list(0).matchstr=Authorization
replacer.full_list(0).regex=false
replacer.full_list(0).replacement=Bearer xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Secondly, what does https://apiurl/api.json return and have you checked you can access it from within your docker container? Try running 

curl https://apiurl/api.json

and see what you get.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Including Keycloak authentication for docker OWASP ZAP container Is there OWASP ZAP docker image for windows platform? Scanning APIs with ZAP Docker image - replacer with regex Authentication not happening through ZAP API Scan docker image How to add a parameter in every http request in docker ZAP OWASP zap-full-scan How to perform form based authentication in ZAP docker instead headless scanning Header Based Authentication in Owasp zap OWASP ZAP docker returns 'Connection refused' when running active-scan OWASP ZAP Error : “Too many active connections right now” [Docker Image] Calling rest API through docker container
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM