← Back to all articles

How I Automate Authenticated API Security Testing

Technical Oct 26, 2022 2 min read

This is a short and simple post about automating the dynamic application security testing (DAST) of a service API. Usually performed as part of an Application or Product Security effort.

Our tool of choice for this testing is OWASP ZAP, an open-source web application security scanner. I prefer using the Docker container version of the tool as it comes pre-built with the necessary environment, so there’s no need to manually install dependencies. You may find the Docker image on Dockerhub.

Ideally, developers document the service API as a Postman collection; other times you may find these definitions documented as a Swagger document, which is an OpenAPI-formatted collection. Both are documents we can use to automate our security testing.

If you have a Postman collection, start from Step 1. If you have a Swagger (OpenAPI) spec, jump to Step 2.

  1. Convert Postman collection to OpenAPI (Swagger) using postman-to-openapi:
p2o /path/to/PostmantoCollection.json -f /path/to/openapi-result.yaml
  1. To use authentication for our API security test, we can define the Authorization header (BasicAuth) via an options.prop file. This is a configuration file used as input for OWASP ZAP. Create the file and define its content like so:
replacer.full_list(0).description=auth1
replacer.full_list(0).enabled=true
replacer.full_list(0).matchtype=REQ_HEADER
replacer.full_list(0).matchstr=Authorization
replacer.full_list(0).regex=false
replacer.full_list(0).replacement=Basic TOKENHERE
  1. Having earlier downloaded the OWASP ZAP Docker image, and having both the openapi-result.yaml and options.prop files in our current working directory, we can proceed to run the automated API scan.

This one-liner runs the ZAP API packaged scan via Docker while ingesting the converted OpenAPI YAML specification and options.prop config from the current working mounted directory (and outputs an XML report).

docker run --rm -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable \
  zap-api-scan.py -t openapi.yaml -f openapi \
  -z "-configfile /zap/wrk/options.prop" \
  -x report.zap.xml

If you’d like to output a report in another format, such as PDF or HTML, you’d need to use the -o flag instead of -x. For this use case, XML was chosen as it’s commonly used as the import format for risk management platforms.

From this point, one may decide to take the above process a step further and implement it as part of a CI/CD pipeline such as with Jenkins or GitLab.

Share this article

Get new posts by email

Related articles

  • Technical

    How a Malicious Chrome Extension Steals Your Session

    Browser extensions are a blindspot most organizations aren't accounting for. Here's how session theft via a malicious extension works, and why it's more accessible than people think.

    Aug 28, 2020 · 4 min read

  • Career

    Security Has a Product Problem

    I spent years finding critical vulnerabilities. Then I realized finding them wasn't the hard part.

    May 22, 2026 · 7 min read