Posts

My authored post, featured on the ZAP blog, delves into a new script within the community-scripts repository that facilitates the signing of outgoing requests using RSA keys. This addresses the unique challenge of testing applications that demand this specific functionality.

One of the OWASP organization members asked me if I would like to present a method for testing an API secured with RSA keys using ZAP. At first, I wasn’t sure if I could handle it because in my daily work I use to Burp, but as is often the case in our penetration testing profession, you have to keep evolving and exploring new possibilities. That’s why I agreed, and in this article, I describe how you can test an API secured with a request-signing mechanism using RSA keys, this time utilizing Zed Attack Proxy (ZAP) Scripting.

In this article, I would like to describe the API request security mechanism that I encountered in one of my projects. This mechanism uses RSA keys to verify the integrity of requests and also incorporates an additional security feature against replay attacks.