Penetration Test a dotnet Core Web API with OWASP ZAP

Saturday, July 22, 2023

#active-scan #docker #dotnet-core #entity-framework-core #mssql #owasp-zap #web-api

This article is published at GitHub.You can raise issues, create pull requests or even fork the content...its open source.

In this article, you will learn how to penetration test a dotnet Core Web API project with OWASP ZAP.

Prerequisites

The following prerequisites will be required to complete this tutorial:

Visual Studio 2022 Community with the ASP.NET and web development workload installed. If you don't have Visual Studio installed, download Visual Studio for free before you begin.
A dotnet core Web API project. If you don't have a project you can follow the first step in these instructions to create one or pull down a dotnet core Web API project.

Create an Open API definition

Create a new folder name zap in the deploy folder which is in the root of the MonitoringDockerStack solution.

Add a new json file named monitoredapidefinition with the following contents.

{
"openapi": "3.0.1",
"info": {
    "title": "Monitored.API",
    "version": "1.0"
},
"servers": [
    {
    "url" : "https://localhost:5021"
    }
],
"paths": {
    "/WeatherForecast": {
    "get": {
        "tags": [
        "WeatherForecast"
        ],
        "operationId": "GetWeatherForecast",
        "parameters": [
        {
            "name": "take",
            "in": "query",
            "schema": {
            "type": "integer",
            "format": "int32",
            "default": 10
            }
        },
        {
            "name": "skip",
            "in": "query",
            "schema": {
            "type": "integer",
            "format": "int32",
            "default": 0
            }
        }
        ],
        "responses": {
        "200": {
            "description": "Success"
        }
        }
    }
    }
},
"components": { }
}

Run ZAP API Scan in Docker via Powershell

In Visual Studio, right click on the MonitoringDockerStack solution, and select Open in Terminal.
run the following command to navigate into the zap folder.
```
cd deploy/zap
```

Ensure the MonitoringDockerStack in running in Docker and then execute the following command.

docker run -i -t --network=host --rm -v "$(pwd):/zap/wrk/:rw" -t owasp/zap2docker-weekly

OWASP Zap Run Docker Container

Once in the container, run the zap api scan with the following command.

./zap-api-scan.py -g api-scan.conf -t monitoredapidefinition.json -f openapi -r api-scan-report.html

OWASP Zap API Scan CMD Report

View OWASP ZAP API Scan Report

In Visual Studio, right click on the MonitoringDockerStack solution, and select Open in Terminal.
Run the following command to get the name of the running zap container and make a copy of the container name.
```
docker ps
```
Run the following command to copy the api-scan-report.html in the container onto your device. Replace {ZapContainerName} with your zap container and {FolderOnYourDevice} to a folder on your device.
```
docker cp {ZapContainerName}:/zap/wrk/api-scan-report.html "C:\{FolderOnYourDevice}\zap\api-scan-report.html"
```
To view the report, navigate to the api-scan-report.html on your device and open it in a browser.

See all articles

Got a comment?

All my articles are written and managed as Markdown files on GitHub.

Please add an issue or submit a pull request if something is not right on this article or you have a comment.

If you'd like to simply say "thanks", then please send me a so the rest of Twitter can see how awesome my work is.