Owasp Zap Testing rest api

rest api testing owasp zap
Сергей picture Сергей · Aug 6, 2018 · Viewed 10.7k times · Source

Is that possible to testing rest-api via OWASP ZAP ? Url to attack worked just for GET requests.

enter image description here

For example, my api controllers work with only token. I have TokenController and this controller require POST data via JSON data include password and login. Can I someway testing this controller via OWASP ?

Answer

Omer Levi Hevroni picture Omer Levi Hevroni · Aug 6, 2018

The short answer is yes. The long answer - it's complicated :)

Testing REST API is a bit harder than testing web API - you'll have to give Zap information about your API - which endpoints it has, parameters, etc. Can you share more about you're API? Does it have OpenAPI/Swagger document? Do you have existing tests? You can use either one of those for this task.

I gave a talk about how this can be achieved - you can find the recording here.

Related questions

Automated testing for REST Api

I would like to write an automated testing suite for a REST API. As we complete new services, we'd like to check to make sure all the previously created services are working as expected. Any suggestions on the best tools …

Read More
GUI frontend for cURL for testing an API

I'm (manually) testing a RESTful API that makes full use of GET/POST/PUT/DELETE methods. Rather than using cURL on the command line to quickly test different input options, it would be handy if there were a windows GUI …

Read More
How do I make calls to a REST API using C#?

This is the code I have so far: using System; using System.Collections.Generic; using System.Linq; using System.Text; using System; using System.Net.Http; using System.Web; using System.Net; using System.IO; namespace ConsoleProgram { public class Class1 { …

Read More