It is possible to perform scans against APIs with OWASP Zep Attack Proxy (ZAP).
More precisely, we will use Zap API – Scan.
First we need to install the Zap Dockers images.
docker pull owasp/zap2docker-stable
To scan the API we need :
- The swagger file (for example : https://petstore.swagger.io/v2/swagger.json)
- The bearer (if you have to be authenticated to use the API)
docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable zap-api-scan.py -z "-config replacer.full_list(0).description=auth1 \
-config replacer.full_list(0).enabled=true \
-config replacer.full_list(0).matchtype=REQ_HEADER \
-config replacer.full_list(0).matchstr=Authorization \
-config replacer.full_list(0).regex=false \
-config replacer.full_list(0).replacement=Bearer 123456MYBEARER" -t https://my-api.com/doc/swagger.json -f openapi -r report.html -a
We have to add $(pwd):/zap/wrk/:rw to get the report.html.