Automated API Security Testing with OWASP Zap and Open API

I often see questions on Stack Overflow along the lines of “How can I be sure that my application is fully secured?” Well, you don’t! So far, there are no systems available that guarantee 100% protection against unauthorized access. But there are some ways to make your application more secure than it’s now. There are two main methods that can be used to detect vulnerabilities in web applications, either by performing a manual penetration test or using automated scanning tools. In this post, I am going to show you the automated API security testing using OWASP Zap and Open API.

Overview

REST APIs are widely used in today’s prevailing microservice architectures and because of their simplicity, scalability and flexibility, they have mostly considered the standard protocol for web APIs. It can be assumed that the importance of desktop-based applications will steadily decrease and more and more users will switch from desktop to web and other mobile applications.

When developing REST-based web applications, a REST-based web service is required in order to be able to test the functionalities of the web application correctly. Since the common penetration test tools for REST APIs are not directly usable, the security of such APIs is still too rarely checked, and testing these types of applications is a major challenge. Basically, the initial testing for the operators of web applications is endless. Various tools, frameworks and libraries are used to automate the test activity.

Imagine performing a penetration test for your backend API with minimal effort, how do you pull it off? Let’s give it a try, shall we?

Setting up springdoc-openapi

With the help of springdoc-openapi we can easily generate the OpenAPI specifications for our API. First, we are adding the springdoc-openapi-ui dependency to pom.xml:

After running a mvn clean install, we can run the application. Bam! Now, we are able to reach the OpenAPI descriptions from this URL.

Importing Open API definition and attacking the endpoints with OWASP Zap

After downloading and installing Owasp ZAP we click “Import” from the menu and then select “Import OpenAPI Definition from URL” to open the dialogue below. In order to import the OpenAPI, we enter the address of the target in the input field “URL Pointing to OpenAPI defn:” and then we click the “Import” button.

Thereby, OpenAPI is parsed and successfully imported, and then the Spider spots all possible endpoints in the application and adds them to a list to attack.

The Active Scan can be started now; this allows the entire OpenAPI to be examined and then attempts to find potential vulnerabilities by using known attacks against the selected targets. You should NOT use it on web applications that you do not own! It is highly recommended to create a shadow system for this penetration test.

During the active scan progress, the locally running Spring Boot application is checked for security gaps such as SQL injection, buffer overflow, XSS, etc. If the search for security vulnerabilities is completed successfully, all security vulnerabilities found are displayed.

Conclusion

It is sometimes not possible to manually consider all test cases in order to cover the penetration tests of the target system. In such cases, an automated tool can be used to complete the automated API security testing, saving manual effort and time. Automated tools can also be used for information gathering, which can be helpful before beginning the investigation phase. An automated penetration test is useful even for extensive applications. However, the outcome of the automated tool is not necessarily the conclusion. We should be aware that automated tools can only find certain types of vulnerabilities. There is no possible way to find logical vulnerabilities, such as broken access control by automated vulnerability scanning. Manual analysis is often required to confirm all types of vulnerabilities. We can use automated security testing tools to finish the job as quickly as possible, so we have enough time to penetrate our application for logical vulnerabilities. Therefore, in such cases, an automated tool can be used to find the right target after which the manual vulnerability can be exploited.