run on target rest api

[Crazyabout]

Is it possible to run the Owasp Zap azure devops task on rest api's. I found in the documentation of Owasp zap that this is possible through docker but I was hoping of this could work through the owasp zap azure devops task. without changing my entire build.

[kasunkv]

I'm not really clear about your question. But to give some context. What this task does is to call the OWASP ZAP API that is hosted externally. Be it on a VM or on a Docker Container somewhere. So if you don't want to add the task to the release definition, you can call the API on your own as well. But that involves writing code to parse the responses etc. This task is created to make that process easier. And to be clear, if you are trying to use this as part of a pipeline, it should be in a release definition rather than the build, since OWASP ZAP runs on an endpoint (e.g your website/.API after its deployed)

Here is an example where, I am directly calling the OWASP ZAP API in side of a Unit test project to run the tests. This is ASP.Net and C# but the idea should be the same.

https://kasunkodagoda.com/2017/07/21/automated-security-testing-with-owasp-zed-attack-proxy-2-creating-running-automated-security-tests-on-visual-studio-team-services/

https://kasunkodagoda.com/2017/07/22/automated-security-testing-with-owasp-zed-attack-proxy-3-working-the-result-of-zap-security-scan-to-pass-or-fail-the-security-tests/

[Crazyabout]

I am sorry for my bad explanation. I tried to use a rest api inside the azure devops task as target url but the report was not thorough enough so i was thinking this is because it (the owasp zap task in azure devops that uses a vm and not a docker env) can not handle rest api's I want to use this type of scan (https://github.com/zaproxy/zaproxy/wiki/ZAP-API-Scan) that is provided from this stackoverflow question with the same question as i have https://stackoverflow.com/questions/51706298/owasp-zap-testing-rest-api. I already followed your very good tutorial to setup the owasp zap inside a VM https://kasunkodagoda.com/2017/09/03/introducing-owasp-zed-attack-proxy-task-for-visual-studio-team-services/ And i was wondering if i could use rest api's as a target url inside my current setup (vm) without changing everything to a docker setup.

[kasunkv]

From the looks of it, it seems it's a capability only available in the docker image. And its run on the docker image itself and does not have an endpoint that we can access to run it on a CI/CD Pipeline. But I am not absolutely sure about it since i have not used it. You may need to do some more research into this.

[Crazyabout]

That's what i was thinking, But I thought maybe you of any one else already setted this up and knows already how to do this. seconds ago I found this solution so I am going to check this out and close this issue if this is the way to answer my question

[kasunkv]

Looking at the link you provided, if you install the extension to support OpenAPI or SOAP you should be able to access using the OWASP ZAP api on your VM. And I should be able to add support to use OpenAPI json or WSDL in to the Azure DevOps extension. It doesn't support this at the moment. So you may have to find a workaround for now. Thanks for bringing this to my attention.

[Crazyabout]

I tried this but got stuck at the authentication of the url. Because the authentication of the rest api needs some kind of token or credentials, it may not be possible to use a vm let alone to put this inside some kind of CI/ CD pipeline. I'am trying for a couple of hours to get this working in docker but this is not as eazy as you can see (https://groups.google.com/forum/#!topic/zaproxy-users/-iMh8aO9lN4)

PS: nice thinking to put this support in your Azure DevOps extension that woul help me and i think others a lot

[tsluyter]

"Because the authentication of the rest api needs some kind of token or credentials, it may not be possible to use a vm let alone to put this inside some kind of CI/ CD pipeline."

It depends on how authentication is supposed to happen. In some cases, you can create a context for the API using the ZAP desktop app and export it to a context file. You can provide the context to a scan, so it'll know how to authenticate and using which credentials.

Alternatively, if the API depends on something like a JWS in a header, you can provide a Replacer rule that inserts the JWS header into each request.

[pablosguajardo]

Azure calls can be made via powershell. For example I use it to close the instance when it finishes scanning: you have to do this in a task of PowerShell:

Invoke-WebRequest -Uri "http://localhost:$(Port)/JSON/core/action/shutdown/?apikey=$(keyOwaspZapProxy)"

then with this method you can make any type of call.