Running ZAP Proxy scans on APIs
Introduction
This blog post explains how to perform security scanning of APIs using ZAP Proxy from the command line.
This approach is especially useful for automated API testing as part of CI/CD pipelines.
APIs pose unique challenges for security testing since traditional spidering or crawling techniques often don’t apply. However, APIs are frequently documented in machine-readable formats such as:
- SOAP
- OpenAPI / Swagger
These formats can be directly used by ZAP to perform automated scans.
To get started, use the following Docker commands:
docker pull ghcr.io/zaproxy/zaproxy:latest
docker run -t ghcr.io/zaproxy/zaproxy:latest zap-api-scan.py -t https://www.example.com/openapi.json -f openapi
By default, the script:
- Imports the API definition supplied
- Actively scans the API using a custom scan profile tuned for APIs
- Reports any issues found to the command line
More information: ZAP API Scan Documentation
Running API Scan Against Local API Spec
If your file is named spec.yaml, you can mount the current directory into the Docker container and specify the correct path to the spec file. Make sure to run the command from the directory containing the file.
docker run -v $(pwd):/zap/wrk/:rw -t ghcr.io/zaproxy/zaproxy:latest zap-api-scan.py -t /zap/wrk/spec.yaml -f openapi
Adding Authorization Headers to Your APIs
To add authorization headers, use the following command:
docker run -v $(pwd):/zap/wrk/:rw -t ghcr.io/zaproxy/zaproxy:latest zap-api-scan.py -t /zap/wrk/spec.yaml -f openapi -d -z "
-config replacer.full_list(0).description=auth1 -config replacer.full_list(0).enabled=true -config replacer.full_list(0).matchtype=REQ_HEADER -config replacer.full_list(0).matchstr=Authorization -config replacer.full_list(0).regex=false -config replacer.full_list(0).replacement='Bearer MY-JWT-TOKEN'"
Explanation of Configuration Options
replacer.full_list(0).description=auth1: Adds a description for this replacement rule.replacer.full_list(0).enabled=true: Enables this specific replacement rule.replacer.full_list(0).matchtype=REQ_HEADER: Applies this replacement to HTTP request headers.replacer.full_list(0).matchstr=Authorization: Specifies the header to match.replacer.full_list(0).regex=false: Indicates that the match string is not a regex.replacer.full_list(0).replacement='Bearer MY-JWT-TOKEN': The token to be injected in the Authorization header.
Conclusion
ZAP Proxy provides a powerful and scriptable way to perform security testing on APIs. With Docker support and built-in handling of common API specifications like OpenAPI, it’s a great fit for automated pipelines and local development workflows.
For further reading:
Happy scanning!