0

I had gone through the OWASP ZAP and I found that ZAP requires endpoint of the web application. But still, I tried to provide URL of REST APIs of our microservices but I was getting 404 error. What I think is OWASP ZAP scans on HTTP GET method and don't allow POST method or else.

Below is the screenshot of ZAP: Link to the screenshot of ZAP

I know there is a post related to test of rest API but that post i was not full clear and was also not related to micro services. Please recommend any better open source software and way through which we can do our VAPT test easily.

Thanks

saurabh kumar 100rab
  • 5
  • 2

1 Answers1

0

The ZAP Quick Start option only supports GET requests, but you can easily send POST requests using the Manual Request dialog. With APIs the main problem is how to discover them. Does that end point link to all of the other API end points?

Simon Bennetts
  • 5,479
  • 1
  • 14
  • 26
  • No, that endpoint doesn't link to all of the other API endpoints. Can you tell me how can i send POST request using the Manual Request dialog? – saurabh kumar 100rab Jan 25 '19 at 16:49
  • As you already have a GET request just right click it in the History tree and 'Open/Resend with Request Editor...' then change whatever you want. To create a request from scratch use the 'Tools/Manual Request Editor...' menu item. The bigger problem you will have is how to discover the end points. Do you have then defined via Open API / SOAP or something similar? If not do you have tests that use your API? – Simon Bennetts Jan 28 '19 at 09:13
  • You have mentioned Request Editor and I don't know what Request Editor in OWSAP ZAP tool. My APIs are RestFul i.e. JSON format not in SOAP or open API. About which tests are you talking about? – saurabh kumar 100rab Feb 05 '19 at 12:20
  • In the ZAP desktop select the 'Tools' menu and then select 'Manual Request Editor...' that will allow you to make any sort of request you like. If you dont have a definition of your API end points then how is ZAP going to find them? If you have unit tests that access those endpoint then you can proxy them through ZAP and then ZAP will know about them, if you dont have any tests then you'll have problems as ZAP will have no way to find the API endpoints. – Simon Bennetts Feb 06 '19 at 17:36