OWASP ZAP (Open Web Application Security Project Zed Attack Proxy) is a powerful security scanning tool for those new to security testing as well as professional penetration testers. ZAP can be used for many different security testing tasks, such as actively simulating attacks, in order to expose vulnerabilities, or passively scanning requests as a proxy. In fact, you can read about how to implement both of these applications of ZAP here and here, respectively. In this blog post, I will show you how to configure Postman to pass requests made through Postman through OWASP ZAP. With its proxy ZAP inspects requests for common markers of vulnerabilities and ill-exposed secure data. So, as you test your application’s API layer with Postman you can passively scan your application for common security vulnerabilities.
First, open OWASP ZAP and find ‘Preferences’ in the top menu bar and select ‘Local Proxies’ under ‘Options’. You should see the following:
These are the settings for ZAPs proxy server that you will be using to route Postman requests through. You will need to know the address and port in order to set Postman to redirect requests through ZAPs proxy server.
Now that you have the address and port for the proxy, open Postman and find ‘Preferences’ in the top menu bar and select the ‘Proxy’ tab. You should now see the following menu:
From here, fill out the proxy server line with the address and port gathered from ZAP in the previous step, as I have done above. We are using the global proxy configuration because the ZAP proxy is set up only for Postman, and we want all Postman requests to go through ZAP but not all of the requests on our computer need to go through a proxy, such as using the web browser. The system proxy may be used in scenarios where all your applications need to use the same proxy and you probably have a default proxy configured at the Operating System level.
At this point, we’re all set up and can begin sending requests through Postman, and observing them in ZAP. Create a request in Postman and send the request. You should see the request appear in ZAP, in the history tab at the bottom of the screen. But wait, my request didn’t work! When making HTTPS requests through a proxy, you most likely will not receive a response because of the fact that all your requests are being sent through ZAP which uses a self-signed SSL certificate in order to capture the request and response being sent. By default, this certificate is not trusted by your system, browser, or Postman. Simply go back into ‘Preferences’ and disable ‘SSL certificate verification’ under the ‘General’ tab. You can see this setting in the following screenshot:
In the next screenshot you can see a request from Postman as it has been captured in ZAP, note the User-Agent PostmanRuntime/7.6.1.
Now you’ve completed the setup between Postman and the ZAP proxy and you can see requests as they’re made through ZAP. ZAP will examine these requests for common security vulnerabilities and create alerts for anything it finds. These alerts are detailed and contain information about the URL where the vulnerability was found, the level of risk that the vulnerability poses to your application, the confidence level of the accuracy of the identified vulnerability, as well as many other factors that can be used to evaluate the proper remediation of the vulnerability found.
Having these alerts creates actionable items for developers who can use them to reproduce the errors and diagnose or resolve the vulnerabilities. For this reason, it’s very useful to use ZAP as a proxy for any requests you may be making to your application. Both ZAP and Postman are powerful tools that can be used to test your application from a functional and security standpoint, together they compliment each other very well and will help ensure a higher level of software quality of your application.