2

I have a command for zap-api-scan.py, but unlike zap-full-scan.py, there seems to be no way to limit these.

via OWASP's official docker image:

docker run -v $(pwd):/zap/wrk/:rw \
    -t owasp/zap2docker-stable zap-api-scan.py \
    -t http://my-tld/api/graphql 
    -f graphql --schema schema.graphql

via ICTU's docker iamge:

docker run --rm -v $(pwd):/zap/wrk/:rw \
-t ictu/zap2docker-weekly zap-api-scan.py \
-t https://myapp.tld.com/api/graphql -f graphql \
-r testreport.html --hook=/zap/auth_hook.py --schema schema.graphql \
-z "auth.bearer_token=myapikey" \
-d -I

Do I have any options, whether it be through owasp/zap2docker-stable or ictu/zap2docker-weekly or through

Are there any config variables I can pass to zap-api-scan.py to limit the depth or run duration?

Note: This is for the zap-api-scan.py CLI script only.

tony
  • 870
  • 7
  • 16

2 Answers2

2

In case you are talking about the recursion depth of the GraphQL query generation process, you can make use of ZAP config options, like:

-z "-config graphql.maxQueryDepth=2 -config graphql.maxArgsDepth=2"

The default depth is 5 for both these options, so any value less than that should speed up the scan (at the cost of fewer queries generated and sent).

For more information about the flags, see https://www.zaproxy.org/faq/how-do-you-find-out-what-key-to-use-to-set-a-config-value-on-the-command-line/ .

ricekot
  • 300
  • 4
  • 6
1

-T max time in minutes to wait for ZAP to start and the passive scan to run

Per:

kingthorin
  • 1,419
  • 9
  • 18
  • What he said :) Also, limiting depth and recursion only apply to the 2 spiders, which the API scan doesnt use. – Simon Bennetts Nov 09 '21 at 09:00
  • `-T` does not work for `zap-api-scan.py`, unfortunately. I just had a job with `-T 15` that ran for an hour and 30 minutes. Flags used: `-j -d -I -m 15 -T 15`. When I stopped the process it was only at 22%. – tony Nov 15 '21 at 16:37
  • 1
    @TonyNarlock In case you are talking about the recursion depth of the GraphQL query generation process, you can make use of ZAP config options, like: `-z "-config graphql.maxQueryDepth=2 -config graphql.maxArgsDepth=2"` The default depth is 5 for both these options, so any value less than that should speed up the scan (at the cost of fewer queries generated and sent). – ricekot Nov 15 '21 at 18:36
  • @ricekot Wow. That works. I am very grateful. I am new to StackOverflow, would you like to make that into an answer? (What would be the proper way to make it so the answer is apparent?) You can take my above commands and add the `-z "-config graphql.maxQueryDepth=2 -config graphql.maxArgsDepth=2"` if you want. – tony Nov 15 '21 at 20:01
  • @ricekot Also, are those flags found anywhere in the OWASP ZAP documentation? (in terms of the CLI script?) – tony Nov 15 '21 at 20:13
  • @TonyNarlock glad I could help you. I have added the comment as an answer along with a link to the information about the CLI flags. – ricekot Nov 16 '21 at 11:58