Rest API security testing: Is there any learning material out there for ZAP?

So I started diving into API security as part of my larger effort to get around API testing but I see there’s a lack of resources. The tutorials for ZAP on youtube either just scratch the surface or are not related to what I’m looking for.

Up until now, I understand that it’s a highly technical and configurable tool and you need to know what you’re doing to use it.

E.g. I thought running an active scan would give me results but that takes a bit too long. Later I found out you can run fuzzer on individual request payload components to better test your API in depth.

Although this seemed like an activity for someone expert in all things security but I’m curious if there’s anything out there for the not-so-expert of us!

I could also ponder switching to another less technical tool but not sure which one.

I had similar issues but I found the book ‘Hacking APIs: Breaking Web Application Programming Interfaces’ by Corey J. Ball as a great place to get started! Covers quite a few areas and gives great hands on examples to work through.

This is from my guide on penetration/security testing of web apps for QA I’m working on (in collaboration with EuroSTAR, which will be published soon I hope), this are some general steps you can do to get enough knowledge to be able to use different tools, including ZAP, on a more advanced level:

1. It’s crucial to have a solid foundation in basic security principles - resources like the book “Penetration Testing” by Georgia Weidman and the “Certified Ethical Hacker (CEH)” materials provide an excellent base.
2. Hands-on learning:

• TryHackMe – ideal for beginners
• Hack The Box and Hack The Box Academy – once you are comfortable with the basics

3. Structured courses:

• TCM’s Ethical Hacking Course – these courses by TCM Security are highly popular for their clarity and coverage.

4. Doing both theoretical learning and practical exercises simultaneously can be more effective, this helps improve your learning by applying theoretical concepts to practical cases.
5. Community learning:

• Engage with cybersecurity communities and follow experts
• Participate in community discussions and challenges to stay updated with the latest news in the field.

6. Set a learning schedule that allows you to engage with both learning materials and practical platforms consistently.
7. Guides and blogs:

• TCM Security’s blog post titled “So You Want to Be a Hacker – 2023 Edition” provides a detailed roadmap for aspiring ethical hackers, including a variety of learning resources and tips (So You Want to Be a Hacker: 2023 Edition - TCM Security).

To gain comprehensive knowledge and a deeper understanding, I recommend going through the OWASP Web Security Testing Guide. However, you must pause and spend time learning some technical concepts. This will help you grasp various examples and techniques, as well as the nature of different vulnerabilities and issues: WSTG - Stable | OWASP Foundation.

Without understanding basic and more advanced stuff on how apps and technology work you won’t be able to understand many vulnerabilities.

By following these steps, you can learn the necessary cybersecurity skills and be well-prepared to apply them in the QA and testing field. You always can google stuff and find many answers and advice, ask professionals for help and advice, and of course, use AI, for example, chatGPT might be very helpful in explaining some concepts, demonstrating some vulnerabilities, and sometimes even in creating payloads (especially for fuzzing).

speaking particularly about ZAP usage, probably you already checked it, but I think their official docs are the best point to start ZAP – Documentation and community ZAP – Community

I also would recommend you to try Burp Download Burp Suite Community Edition - PortSwigger in a way they have many similar features and may substitute each other (in my unprofessional opinion ) but they have the quite cool Academy Web Security Academy: Free Online Training from PortSwigger maybe it’ll be helpful anyway, even if you prefer using ZAP

You shouldn’t learn ZAP.
In security tools come and go, more often then you think. That doesn’t mean you don’t need to learn ZAP… but what I mean is you need to learn the Methodology of what you are trying to learn and not the tools.

Learn the Methodology, Not the tool

That’s the Nr 1 rule of learning Security and it comes back in every good course.

If you would want to Fuzz, you can do that with ZAP sure, but I would recommend ffuf. GitHub - ffuf/ffuf: Fast web fuzzer written in Go

ffuf even stands for “Fuzz Faster U Fool”
I would recommend doing this, in order to “do it right the first time”

ZAP is the non-technical tool
If you ever need help feel free to reach out!

If you are looking to learn a lot about Rest API Security testing. The platforms that @shad0wpuppet mentioned are a good start but go way to broad.

• TCM Security:

TCM Security has a great course, not the Practical Ethical Hacking one (it is a great course but less for API hacking), they have a specific API Hacking course.
=> https://academy.tcm-sec.com/p/hacking-apis

• API Sec University
  https://www.apisecuniversity.com/

The pentest course, really focusses on API vulnerability basically NOT triggered by scanners like ZAP. Which is a really great course using the CrApi app.

This is a great book recommendation and API SEC University is also made by Corey ball!

• PortSwigger

=> API testing - PortSwigger
Also a great learning path specifically for non-scanning vulnerabilities.

• HackTheBox

HTB just released an API Attack module in their academy: HTB Account
BUT I don’t think it’s worth purchasing this one to begin with, since you can learn these things elsewhere. (Only do it when you get the silver subscription)

My recommendation:

Start with Portswigger, do the learning path. It should be an easy walkthrough.
After that, go to API Sec University and do the pentest course (free) , the exam costs 500$ if you want to challenge yourself.

If you ever want to spar or talk about it, feel free to hit me up!
I do pen-testing as a job.

Sorry if this sounds harsh but CEH is Worthless. It’s absolute shit and people make a joke about it if you’ve obtained it and start bragging with it.
The reason behind it is, in security we call this “the mason certificate”.

• If you are building a house and you need to hire a mason.
  Do you hire:

A: A mason with a certificate which answers are multiple choice and you only need 50% without any experience, which took 1-2 hours tops
B: A mason with a certificate which has hands on experience and the certificate requires 80-85% pass rate of building a house? And which took 1-10days?

That’s why Multiple Choices exams are a joke in the security world and new people often make the mistake learning for these and obtaining these.

A lot of people even mention I’m an “Uncertified Ethical Hacking” to make a job about CEH also. Sorry again if this sounds harsh reading it back XD It’s not meant to be harsh, just want to point him into the right path.

I much rather have people spend their time on the Pre-Security & Intro to Security learning path on TryHackMe.

Also make sure that you have a clear scope defined and that you only attack your scope, otherwise you are doing illegal activities and you can basically go to jail

It normally shouldn’t take “too long” - depends on your definition & the amount of addons you installed/attack mode.

Thanks for the detailed guide @kristof
Tbh the real issue was “where to start” Post swigger seems like a good starting point.

You’re welcome!

Some vulnerabilities may seems really stupid but hey they do exist. Especially no back end validations and only front end validations.

I recently ordered a 75" inch TV for 1€ due to no backend validation (reported it of course) – I did not get to keep the TV

my favorite one lol

Platforms like Udemy, Coursera, and Pluralsight often offer courses on using ZAP for security testing.