How to OWASP ZAP scan external REST API using OAuth2
For Finding vulnerabilities in the API only application(does not have a web app and you have access to only its REST API), you can configure proxies in the Postman and execute OAuth and other REST api invocations and network requests goes through same proxy that ZAP is configured to intercept.
If You have web app you can configure your browser as proxy so that any URL you browse through goes through a proxy server which ZAP can intercept.
Steps
Generate a root certificate in zap to import into the browser/Postman(if you are testing an api). Go to Tools > Options > Dynamic SSL Certificates and save this locally.
Import the certificate to the browser/Postman(I suggest you use another browser solely for this than one you currently use for general purpose. Makes it easier that you do not mess with your current config. I usually prefer Mozilla for this as i use chrome for general purpose)
For firefox go to about:preferences
url and select Privacy and Security and choose certificates
Go to Authorities to import the certificate you have saved in step 1
If you are testing for api only and does not have a web app and you use Postman to make a request , save your certificate in Postman using preferences tab as shown below
- Configure your browser proxy url as shown below. You can go to Network Settings in your browser to do this using
about:preferences
.
- Configure the Local Proxy in ZAP tool using Tools > Options > Local Proxy
Now any URL you browse will be recorded with complete hierarchy. This appears under the Sites as shown here
If your app is an API only then configure proxy in Postman.
Use postman to make request and it will record the URL for the attack. For OAuth 2.0 go through the Authentication using the Postman configuration.
One important thing to verify here is to make sure Postman uses a same proxy as that of the zap tool.
You can configure in preferences as explained in below article
https://learning.postman.com/docs/postman/sending-api-requests/proxy/
If you further need to customize one can use authentication scripts in ZAP (You generally do not need this until you have a complex authentication or want to test with specific headers) and ZAP has community scripts that covers some sample use cases and scripts here
Finally to scan or Spider attack the URL all you need to do is right click and execute the Attack as shown in below image
Use the reports tab to generate the ZAP Report that you can submit to Sec review team.
Additional Resources
ZAP configuration tutorial from salesforce security help is here and steps to configure documented is here
Note that ZAP is free and flexible and to customize you can read the docs
Also ZAP has video tutorials here