API Security Testing With Postman and OWASP Zap

Most of the content around API testing is about functional testing or recently about API automation testing , so what about Security Testing?

We’re going to use Postman and consume our existing collections.

The idea here is to send the Postman requests to OWASP Zap to be able to start automated pen-testing.

Why?
Sometimes we don’t have the proper API definition file that can be imported to OWASP Zap , so this is an easy workaround.

Step 1 :

Open OWASP Zap , go to application settings and look for “Local Proxy” as shown on the following screen shot.

On Windows : Go to “Tools” -> “Options”

On Mac OS : Go to “Zap” -> “Preferences”

In our case the local proxy is on port 8081 remember this number because we will use it very soon.

*Port number may be different on your machine , use the number displayed in your setting on the next step.

Step 2 :

Open “Postman” , go to application settings and press “Proxy” tab as shown on the following screen shot.

On Windows : Go to “File” -> “Settings”

On Mac OS : Go to “Postman” -> “Preferences”

Select “Add custom proxy configuration” and fill the following values :

  • Proxy Server : Localhost
  • Port : 8081 (the port acquired from the OWASP Zap settings in step 1)

Step 3 :

On Postman start to send API requests from the desired API collection as shown on the following Postman example.

All api calls you just did from Postman should be added to OWASP Sites list as the following screen shot.

*Don’t forget to return the Postman proxy settings to the previous / default settings after you finish.

Step 4 :

It is time to start the scan on OWASP ZAP.

Right Click on the main directory and select “Attack” then select “Active Scan”

The scan will be started and you should notice some findings under “Alerts” section as the following screen shot.

Indeed you can do more than active scan on OWASP Zap , and this may be another post I will do in the future to dig more deeper into ZAP 🙂

The API used in this demo is called VAmPI , it is a vulnerable api and you can find it on the following Github link :

https://github.com/erev0s/VAmPI

I hope you find it useful and I really enjoyed the time I was trying it.

Please share your tips, experience, comments, and questions for further enriching this topic of discussion.