At the moment, DAST can only scan web apps. The underlying tool, however, also supports scanning of REST/SOAP APIs https://zaproxy.blogspot.com/2017/06/scanning-apis-with-zap.html. It would be easy to support this functionality also in our DAST image, since the API scanning is invoked very similar to the baseline scan that we are currently doing https://gitlab.com/gitlab-org/security-products/dast/blob/master/analyze#L35

Proposal

Add support for API scanning to https://gitlab.com/gitlab-org/security-products/dast/

Implementation plan

Use zap-api-scan.py similar to zap-baseline.py and zap-full-scan.py to achieve a ZAP API scan.
~~Support new cli option -f env DAST_API_FORMAT: format should be openapi or soap~~
Support baseline and a full scan, using the normal DAST parameters. Baseline should be the default.
Support new cli option -O env DAST_API_HOST_OVERRIDE: the hostname to override in the (remote) OpenAPI spec.
All options should be supported, except -J and --hook.
Add tests to ensure OpenAPIv2 format is supported.
Add tests to ensure OpenAPIv3 format is supported.
~~Add tests to ensure a SOAP WSDL services are supported~~ https://github.com/zaproxy/zaproxy/issues/4866
Investigate options for authentication.
Document how users can use this.
Record a demo to show people how it works.
JSON or YAML should be able to be used for OpenAPIv2
Verify that the specification defined locally or in a URL
Investigate domain rewriting
Add a test for the legacy API
Verify other DAST features (e.g. exclude URL) work when using an API scan
Add an environment variable to exclude rules (required for tests). Document this for users, and link to the rule IDs.
Print out URLs that were scanned by the API scan, add them to scanned_resources in the JSON output
Verify Domain validation, document if it does not work.
Document that excluded URLs do not work.
Add DAST_REQUEST_HEADERS to DAST
Add an issue for supporting excluded URLs #211892
Add an issue for supporting Domain validation on Full Scans #211893
Add an issue for supporting Hostname override on imported specifications from file #211894

Post-issue clean up

test/end-to-end/fixtures/open-api-v2 should be renamed to test/end-to-end/fixtures/rest-api
Rename SpideredMessages to ScannedResources

Estimate

This will likely take most of the iteration, largely because of the testing. Giving it a 5.

### Problem to solve

REST APIs cannot be scanned by DAST.

### Further details

At the moment, DAST can only scan web apps. The underlying tool, however, also supports scanning of REST/SOAP APIs https://zaproxy.blogspot.com/2017/06/scanning-apis-with-zap.html. It would be easy to support this functionality also in our DAST image, since the API scanning is invoked very similar to the baseline scan that we are currently doing https://gitlab.com/gitlab-org/security-products/dast/blob/master/analyze#L35

### Proposal

Add support for API scanning to https://gitlab.com/gitlab-org/security-products/dast/

### Implementation plan
- [x] Use `zap-api-scan.py` similar to `zap-baseline.py` and `zap-full-scan.py` to achieve a ZAP API scan.
- ~~Support new cli option `-f` env `DAST_API_FORMAT`: `format should be openapi or soap`~~
- [x] Support baseline and a full scan, using the normal DAST parameters. Baseline should be the default.
- [x] Support new cli option `-O` env `DAST_API_HOST_OVERRIDE`: `the hostname to override in the (remote) OpenAPI spec`.
- [x] All options should be supported, except `-J` and `--hook`.
- [x] Add tests to ensure OpenAPIv2 format is supported.
- [x] Add tests to ensure OpenAPIv3 format is supported.
- ~~Add tests to ensure a SOAP WSDL services are supported~~ https://github.com/zaproxy/zaproxy/issues/4866
- [x] Investigate options for authentication.
- [x] Document how users can use this.
- [ ] Record a demo to show people how it works.
- [x] JSON or YAML should be able to be used for OpenAPIv2
- [x] Verify that the specification defined locally or in a URL
- [x] Investigate domain rewriting
- [x] Add a test for the legacy API
- [x] Verify other DAST features (e.g. exclude URL) work when using an API scan
- [x] Add an environment variable to exclude rules (required for tests). Document this for users, and link to the rule IDs.
- [x] Print out URLs that were scanned by the API scan, add them to `scanned_resources` in the JSON output
- [x] Verify Domain validation, document if it does not work.
- [x] Document that excluded URLs do not work.
- [x] Add `DAST_REQUEST_HEADERS` to DAST
- [x] Add an issue for supporting excluded URLs https://gitlab.com/gitlab-org/gitlab/-/issues/211892
- [x] Add an issue for supporting Domain validation on Full Scans https://gitlab.com/gitlab-org/gitlab/-/issues/211893
- [x] Add an issue for supporting Hostname override on imported specifications from file https://gitlab.com/gitlab-org/gitlab/-/issues/211894

### Post-issue clean up
- [x] `test/end-to-end/fixtures/open-api-v2` should be renamed to `test/end-to-end/fixtures/rest-api`
- [x] Rename `SpideredMessages` to `ScannedResources`

### Estimate
This will likely take most of the iteration, largely because of the testing. Giving it a `5`.

Edited Mar 20, 2020 by Cameron Swords

Linked issues

Discussion
Designs

Assignee

Assign to

12.10

Milestone

12.10

Assign milestone

Time tracking

None

Due date

None

10

Labels

Category:DAST Deliverable Enterprise Edition GitLab Ultimate backend devopssecure direction feature groupdynamic analysis workflowIn review

Assign labels

View project labels

Reference: gitlab-org/gitlab#10928

Next

Add support for REST API scans to DAST

Problem to solve

Further details

Proposal

Implementation plan

Post-issue clean up

Estimate