Create API SUT and test

[binarymist]

SUT Resources

Mentioned by Nicholas Tolstoshev on #project-zap of OWASP Slack

• https://github.com/OWASP/crAPI
• https://github.com/kaakaww

Mentioned by @ricekot on #project-zap of OWASP Slack

• https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application
• https://github.com/righettod/poc-graphql
• https://github.com/kaakaww/vuln-graphql-api
• Others: https://github.com/search?q=graphql+vulnerable

Mentioned by @kingthorin_rm on #project-zap of OWASP Slack

• https://owasp.org/www-project-vulnerable-web-applications-directory/

Mentioned by @Kinnaird McQuade on #project-zap of OWASP Slack

• REST: http://www.webscantest.com/rest/demo/
• SOAP: http://www.webscantest.com/soap/demo/api/index.php?wsdl

[binarymist]

Todo

• Make sure NodeGoat runs locally on the compose_pt-net network and you have run local Test Runs with PurpleTeam successfully against NodeGoat locally
• Create ordered list/matrix (Google doc or markdown table in this issue) of purposely vulnerable APIs with their attributes so that we can decide which one to use first. This should be a simple task of evaluating which APIs are most fit for the purpose. I provided details of what we're looking for here. The SUT should also obviously have as many vulnerabilities as possible for PurpleTeam via Zaproxy to find. Once this is done, we'll make a decision as to which API to start with
• Test that the API SUT works locally
  • Test all of the API end-points and setup authentication - All using Zaproxy on the desktop
• Make sure the API SUT that we choose runs locally on the compose_pt-net network and you have run local Test Runs with PurpleTeam successfully against the API SUT locally. Now we know we're completely happy with the API SUT
  • You will need to provide a docker-compose.override.yml
  • You may need to provide some other replacement files, for example we have a db-reset.js for NodeGoat which simply has a different set of passwords in it
• Add the API SUT to purpleteam-iac-sut
  • Once the API SUT is added, if you want to do your own deploy, you'll need an AWS account and a cheap throwaway domain on CloudFlare, otherwise we can just do the deploy (terragrunt apply) for you. If you do decide you want to get a cheap domain and free AWS account, you'll also need to workout how to persist your Terraform state, we do this on Terraform Cloud (free), but you could just as easily do it locally, it really doesn't matter how you do it
  • Once the API SUT is deployed to AWS do a Test Run to confirm everything is working as expected. If you decided to get a cheap CloudFlare domain and free AWS account you can do this, otherwise we can easily do it
    • For this you will need an API Job file, when you get here, we will either help you create one or just provide one

API types we need to support

• ImportUrls
• OpenApi
• Soap
• GraphQl

Authentication Strategies

Basically anything, or as many as possible that Zaproxy supports, there are quite a few Zap resources now. Google does well at listing them.

• https://www.zaproxy.org/docs/api/#getting-authenticated (you've seen this one), I think this covers all, mostSome details that Simon (Zaproxy Lead) put together https://docs.google.com/document/d/1LSg8CMb4LI5yP-8jYDTVJw1ZIJD2W_WDWXLtJNk3rsQ/edit# I haven't spent much time in here, don't get bogged down in this
• As per docs: https://purpleteam-labs.com/doc/jobfile/api/
• Source code is here: https://github.com/purpleteam-labs/purpleteam-app-scanner/tree/main/src/sUtAndEmissaryStrategies/3_emissaryAuthentication there can be many here, don't get hung-up on this code as it's not really relevant to you, but more so to Build Users
• High level doc here: https://purpleteam-labs.com/doc/next-steps/#3-emissaryauthentication

Basically we want to support as many as possible.

[shaneg07]

	OpenAPI	SOAP	GraphQL	Import URLs	Script Based Authentication	JSON Based Authentication	HTTP/NTLM based authentication	Active	Stars	Pull Requests	Issues	Contributors	Tested Locally	Comments
								[Recent commits or Active PRs/Issues]				[main/minor]
crAPI	✓			✓				✓	249	3 (51 closed)	6 (21 closed)	1 main / 6	✓
juice-shop	✓			✓		✓		✓	7000	0 ((1121 close)	2 (708 closed)	14 main / 77	✓
Damn-Vulnerable-GraphQL-Application			✓	✓	✓			✓	1000	0 (38 closed)	1 (18 closed)	2 main / 1	https://notepad.pw/code/5pa89yk6 as described in Slack
vuln-graphql-ruby			✓		✓			✓ (apr'21)	0	4 (0 closed)	0 (0 closed)	2 main
poc-graphql			✓					✓(sep'20)	339	0	0	1 main
VAmPI	✓			✓	✓			✓	275	0 (12 closed)	1 (7 closed)	2 main / 1	✓
Vulnerable-Web-Services		✓				✓		No	6	0	0	1 main
vulny-spring-soap-api		✓	✓		✓			No	0	0	0	2 main
vulnerable-graphql-api			✓	✓	✓			No	36	0	0	2 main
Pixi	✓			✓	✓			No	54	2(2 closed)	23(7 closed)	2 main
parabank	✓	✓						Yes	31	30(29 closed)	3(3 closed)	2 main