Testing REST APIs

REST API testing with ZAP leverages HTTP methods beyond GET and POST commonly seen in web applications. Configure active scan policies to test all relevant HTTP methods—PUT, DELETE, PATCH, OPTIONS. Each method might expose different vulnerabilities. DELETE operations might lack authorization checks, PUT might allow overwriting other users' data, and OPTIONS might reveal sensitive information about allowed methods.

Parameter pollution testing reveals how APIs handle duplicate or conflicting parameters. REST APIs might accept parameters in multiple locations—URL query strings, request bodies, and headers. Test by sending the same parameter in different locations with conflicting values. Observe which value the API uses and whether this creates security bypasses. ZAP's manual request editor enables precise crafting of these complex requests.

API versioning creates unique attack surfaces. Many APIs support multiple versions simultaneously, with older versions potentially lacking security fixes present in newer ones. Test all available API versions, not just the latest. Version-based attacks might involve forcing the API to use older, vulnerable versions through header manipulation or URL modification. ZAP's session comparison features help identify differences between API versions.