NAV
python java shell

Introduction

Overview

Welcome to ZAP API Documentation! The Zed Attack Proxy (ZAP) is one of the world's most popular free security tools which lets you automatically find security vulnerabilities in your applications. ZAP also has an extremely powerful API that allows you to do nearly everything that is possible via the desktop interface. This allows the developers to automate pentesting and security regression testing of the application in the CI/CD pipeline.

This document provides example guides & API definitions for ZAP APIs. You can view code examples in the dark area to the right; switch the programming language of the examples with the tabs on the top right. If anything is missing or seems incorrect, please check the FAQs or the GitHub issues for existing known issues. Also, if you are new to ZAP, then check out the getting started guide to learn the basic concepts behind ZAP.

An OpenAPI definition for the ZAP API is available in the main repository, which can be used to generate custom API clients. This definition is planned to be kept up to date for the latest core and add-on releases. Note that currently the definition does not declare the most appropriate types for the parameters and does not contain the responses.

The following are some of the features provided by ZAP:

Have a look at the examples below to learn how to use each of these features via ZAP API.

Documentation Structure

The API documentation is divided into nine main sections.

Basics on the API Request

ZAP APIs provide access to most of the core features of ZAP such as the active scanner and spider. ZAP API is enabled by default in the daemon mode and the desktop mode. If you are using ZAP desktop, then the API can be configured by visiting the following screen:

Tools -> Options -> API.

zap_desktop_api

Please note that not all the operations which are available in the desktop interface are available via the APIs. Future versions of ZAP will increase the functionality/scope available via the APIs.

API URL Format

The API is available via GET and POST endpoints and the response is available in JSON, XML, HTML, and OTHER (custom formats, e.g. HAR) formats. All the response formats return the same information, just in a different format. Based on the use case, choose the appropriate format. For example, to generate easily readable reports use the HTML format and use XML/JSON based response to parse the results quickly.

The following example shows the API URL format of ZAP:

http://zap/<format>/<component>/<operation>/<operation name>[/?<parameters>]

The format can be either JSON, XML or HTML. The operation can be either view or action or other. The view operation is used to return information and the action is used to control ZAP. For example, views can be used to generated reports or retrieve results and action can be used to start or stop the Spider. The components, operation names and parameters can all be discovered by browsing the API Catalogue.

Access the API

The REST API can be accessed directly or via one of the client implementations detailed below.
A simple web UI is also available to explore and use the APIs via the browser. This web UI can be accessed via http://zap/ when you are proxying through ZAP, or via the host and port ZAP is listening on, e.g. http://localhost:8080/.

zap_api_ui

By default only the machine ZAP is running on is able to access the APIs. You can allow other machines, that are able to use ZAP as a proxy, access to the API.

Client SDKs

API clients are available for the following languages:

Language Download links Notes
.NET NuGet Official API
Java GitHub Maven Central Official API
Node.js NPM Official API
PHP GitHub Packagist In process of becoming an official API
Python PyPI Official API
Ruby GitHub

Quick Setup Guide

The quick setup guide focuses on setting up ZAP and a testing application. If you have already setup ZAP then Jump to specific example to experiment with specific features.

Start ZAP

# For Linux, Option: 1, using "headless/daemon" mode
<ZAP_HOME>./zap.sh -daemon -config api.key=change-me-9203935709
# For Linux, Option: 2, using ZAP desktop App
<ZAP_HOME>./zap.sh

# For Windows, Run the exe file or zap.bat script to start ZAP
// For Linux, Option: 1, using "headless/daemon" mode
<ZAP_HOME>./zap.sh -daemon -config api.key=change-me-9203935709
// For Linux, Option: 2, using ZAP desktop App
<ZAP_HOME>./zap.sh

// For Windows, Run the exe file or zap.bat script to start ZAP
# For Linux, Option: 1, using "headless/daemon" mode
$ <ZAP_HOME>./zap.sh -daemon -config api.key=change-me-9203935709
# For Linux, Option: 2, using ZAP desktop App
$ <ZAP_HOME>./zap.sh 

# For Windows, Run the exe file or zap.bat script to start ZAP

To install ZAP, go to ZAP's home page and download the installer specific to the operating system. After extracting the bundle you can start ZAP by issuing the following command shown in the right column.

The API key must be specified on all API actions and some other operations. The API key is used to prevent malicious sites from accessing ZAP API.

Setup a Testing Application

If you already have a website to scan or to perform security testing, then obtain the URL/IP of the application to begin the scanning. The example guide uses Google's Firing Range and OWASP Juice Shop to perform the security testing. The Spidering and Attacking examples use the public instance of the Firing Range, and OWASP Juice Shop are used to showcase the Authentication examples of ZAP.

The following is a list of publicly available vulnerable applications that you can also used in conjunction with ZAP.

Getting Help

All available APIs are documented in the API Catalogue. If you are new to ZAP, then it's highly recommended that you experiment with the desktop UI before trying out the APIs. Because ZAP's APIs strongly resemble the desktop UI. Therefore by working with the UI, you will get a good understanding on how to orchestrate ZAP's APIs. Also, use the export config functionality from the desktop UI to export complex configurations such as contexts, scan policies, etc. Then use the exported configurations when creating the automation scripts.

ZAP has a very friendly and active developer community. Always feel free to raise a question in the ZAP users forum or Stack Overflow for issues related to ZAP. Also, use the ZAP's GitHub repository to raise a bug report or to make any feature requests.

Stay tuned on twitter @zaproxy.

Exploring the App

In order to expose content and functionality for ZAP to test the target the application should be explored before performing any scan or attack. The more you explore your App the more accurate the results will be. If the application is not explored very well then it will impact or reduce the vulnerabilities ZAP can find.

The following are some of the options to explore the site by using ZAP. You can use multiple approaches in a combination to get more complete coverage of the application.

Using Spider

#!/usr/bin/env python
import time
from zapv2 import ZAPv2

# The URL of the application to be tested
target = 'https://public-firing-range.appspot.com'
# Change to match the API key set in ZAP, or use None if the API key is disabled
apiKey = 'changeMe'

# By default ZAP API client will connect to port 8080
zap = ZAPv2(apikey=apiKey)
# Use the line below if ZAP is not listening on port 8080, for example, if listening on port 8090
# zap = ZAPv2(apikey=apiKey, proxies={'http': 'http://127.0.0.1:8090', 'https': 'http://127.0.0.1:8090'})

print('Spidering target {}'.format(target))
# The scan returns a scan id to support concurrent scanning
scanID = zap.spider.scan(target)
while int(zap.spider.status(scanID)) < 100:
    # Poll the status until it completes
    print('Spider progress %: {}'.format(zap.spider.status(scanID)))
    time.sleep(1)

print('Spider has completed!')
# Prints the URLs the spider has crawled
print('\n'.join(map(str, zap.spider.results(scanID))))
# If required post process the spider results

# TODO: Explore the Application more with Ajax Spider or Start scanning the application for vulnerabilities
public class Spider {

    private static final String ZAP_ADDRESS = "localhost";
    private static final int ZAP_PORT = 8080;
    // Change to match the API key set in ZAP, or use NULL if the API key is disabled
    private static final String ZAP_API_KEY = "change me";
    // The URL of the application to be tested
    private static final String TARGET = "https://public-firing-range.appspot.com";

    public static void main(String[] args) {
        ClientApi api = new ClientApi(ZAP_ADDRESS, ZAP_PORT, ZAP_API_KEY);

        try {
            // Start spidering the target
            System.out.println("Spidering target : " + TARGET);
            ApiResponse resp = api.spider.scan(TARGET, null, null, null, null);
            String scanID;
            int progress;

            // The scan returns a scan id to support concurrent scanning
            scanID = ((ApiResponseElement) resp).getValue();
            // Poll the status until it completes
            while (true) {
                Thread.sleep(1000);
                progress = Integer.parseInt(((ApiResponseElement) api.spider.status(scanID)).getValue());
                System.out.println("Spider progress : " + progress + "%");
                if (progress >= 100) {
                    break;
                }
            }
            System.out.println("Spider completed");
            // If required post process the spider results
            List<ApiResponse> spiderResults = ((ApiResponseList) api.spider.results(scanID)).getItems();

            // TODO: Explore the Application more with Ajax Spider or Start scanning the application for vulnerabilities

        } catch (Exception e) {
            System.out.println("Exception : " + e.getMessage());
            e.printStackTrace();
        }
    }
}
# To start the Spider scan (Response: Scan ID). Modify the API Key and URL to suite the target
$ curl "http://localhost:8080/JSON/spider/action/scan/?apikey=<ZAP_API_KEY>&url=https://public-firing-range.appspot.com&contextName=&recurse="

# To view the scan status/ percentage of work done
$ curl "http://localhost:8080/JSON/spider/view/status/?apikey=<ZAP_API_KEY>&scanId=<SCAN_ID>"

# To view the scan results
$ curl "http://localhost:8080/JSON/spider/view/results/?apikey=<ZAP_API_KEY>&scanId=<SCAN_ID>"

# To stop the scanning
$ curl "http://localhost:8080/JSON/spider/action/stop/?apikey=<ZAP_API_KEY>&scanId=<SCAN_ID>"
# To pause the scanning
$ curl "http://localhost:8080/JSON/spider/action/pause/?apikey=<ZAP_API_KEY>&scanId=<SCAN_ID>"
# To resume the scanning
$ curl "http://localhost:8080/JSON/spider/action/resume/?apikey=<ZAP_API_KEY>&scanId=<SCAN_ID>"

The Spider is a tool that is used to automatically discover new resources (URLs) on a particular site. It begins with a list of URLs to visit, called the seeds, which depends on how the Spider is started. The Spider then visits these URLs, it identifies all the hyperlinks in the page and adds them to the list of URLs to visit, and the process continues recursively as long as new resources are found. Each response type is processed differently in ZAP. All the available endpoints for the spider can be found in spider section.

Start the Spider

The Spiders explore the site and they don't actually do any scanning. The resources crawled by the Spider(s) are passively scanned in the background via the Passive Scanner. The scan API runs the spider against the given URL. Optionally, the 'maxChildren' parameter can be set to limit the number of children scanned and the 'recurse' parameter can be used to prevent the spider from seeding recursively. The parameter 'subtreeOnly' allows to restrict the spider under a site's subtree (using the specified 'URL'). The parameter 'contextName' can be used to constrain the scan to a Context. View the context example to understand how to create a context with ZAP API.

The code sample on the right recursively scans the application with the provided URL. The scan ID is returned as a response when starting the Spider. Use this scan ID to perform any additional actions or to retrieve any views from the Spider API.

View Status

The spider scan is a async request and the time to complete the task will vary depending on the complexity of the web application. The scan ID returned via starting the spider should be used to obtain the results of the crawling. Execute the status API to get the status/percentage of work done by the Spider.

View Spider Results

The results of the crawling can be obtained via the results API. The following image shows the JSON sample response provided by the results API, listing all the resources crawled by Spider.

spider results

Stop or Pause the Spider

If the scanning takes more time than expected you can stop or pause the scanning via using the stop or pause APIs. Additional APIs are available in the API Catalogue to pause or resume or to stop All the scanning processes.

The advanced section on Spider contains more examples on how to tweak/improve the Spider results.

Using Ajax Spider

#!/usr/bin/env python
import time
from zapv2 import ZAPv2

# The URL of the application to be tested
target = 'https://public-firing-range.appspot.com'
# Change to match the API key set in ZAP, or use None if the API key is disabled
apiKey = 'changeme'

# By default ZAP API client will connect to port 8080
zap = ZAPv2(apikey=apiKey)
# Use the line below if ZAP is not listening on port 8080, for example, if listening on port 8090
# zap = ZAPv2(apikey=apiKey, proxies={'http': 'http://127.0.0.1:8090', 'https': 'http://127.0.0.1:8090'})

print('Ajax Spider target {}'.format(target))
scanID = zap.ajaxSpider.scan(target)

timeout = time.time() + 60*2   # 2 minutes from now
# Loop until the ajax spider has finished or the timeout has exceeded
while zap.ajaxSpider.status == 'running':
    if time.time() > timeout:
        break
    print('Ajax Spider status' + zap.ajaxSpider.status)
    time.sleep(2)

print('Ajax Spider completed')
ajaxResults = zap.ajaxSpider.results(start=0, count=10)
# If required perform additional operations with the Ajax Spider results

# TODO: Start scanning the application to find vulnerabilities
public class AjaxSpider {

    private static final int ZAP_PORT = 8080;
    private static final String ZAP_API_KEY = null;
    private static final String ZAP_ADDRESS = "localhost";
    private static final String TARGET = "https://public-firing-range.appspot.com";

    public static void main(String[] args) {
        // Create the ZAP Client
        ClientApi api = new ClientApi(ZAP_ADDRESS, ZAP_PORT, ZAP_API_KEY);

        try {
            // Start spidering the target
            System.out.println("Ajax Spider target : " + TARGET);
            ApiResponse resp = api.ajaxSpider.scan(TARGET, null, null, null);
            String status;

            long startTime = System.currentTimeMillis();
            long timeout = TimeUnit.MINUTES.toMillis(2); // Two minutes in milli seconds
            // Loop until the ajax spider has finished or the timeout has exceeded
            while (true) {
                Thread.sleep(2000);
                status = (((ApiResponseElement) api.ajaxSpider.status()).getValue());
                System.out.println("Spider status : " + status);
                if (!("stopped".equals(status)) || (System.currentTimeMillis() - startTime) < timeout) {
                    break;
                }
            }
            System.out.println("Ajax Spider completed");
            // Perform additional operations with the Ajax Spider results
            List<ApiResponse> ajaxSpiderResponse = ((ApiResponseList) api.ajaxSpider.results("0", "10")).getItems();

            // TODO: Start scanning(passive/active scan) the application to find vulnerabilities

        } catch (Exception e) {
            System.out.println("Exception : " + e.getMessage());
            e.printStackTrace();
        }
    }
}
# To start the Ajax Spider
$ curl "http://localhost:8080/JSON/ajaxSpider/action/scan/?apikey=<ZAP_API_KEY>&url=<URL>&inScope=&contextName=&subtreeOnly="

# To view the status
$ curl "http://localhost:8080/JSON/ajaxSpider/view/status/?apikey=<ZAP_API_KEY>"

# To view the number of results
$ curl "http://localhost:8080/JSON/ajaxSpider/view/numberOfResults/?apikey=<ZAP_API_KEY>"

# To view the results
$ curl "http://localhost:8080/JSON/ajaxSpider/view/fullResults/?apikey=<ZAP_API_KEY>"

# To stop the Ajax Spider
$ curl "http://localhost:8080/JSON/ajaxSpider/action/stop/?apikey=<ZAP_API_KEY>"

Use the Ajax Spider if you have applications which heavily depend on Ajax or JavaScript. The Ajax Spider allows you to crawl web applications written in Ajax in far more depth than the traditional Spider.You should also use the traditional Spider as well for complete coverage of a application (e.g. to cover HTML comments).

Start Ajax Spider

The scan API starts the Ajax Spider based on a given URL. Similar to the Traditional Spider, Ajax Spider can be also limited to a context or scope. The parameter 'contextName' can be used to constrain the scan to a Context, the option 'inScope' is ignored if a context was also specified. The parameter 'subtreeOnly' allows to restrict the spider under a site's subtree (using the specified 'URL').

View Status

Unlike the traditional Spider, Ajax Spider does not provide a percentage for the work to be done. Use the status endpoint to identify whether the Ajax Spider is still active or finished.

View Results

Similar to the Traditional Spider, the Ajax Spider's results API can be used to view the resources which are crawled by the Ajax Spider. The following image shows a sample response given by the API.

ajax_spider_results

Stop the Ajax Spider

Ajax spider does not have an indication on how much resources are left to be crawled. Therefore if the Ajax spider takes too much time than expected, then it can be stopped by using the stop API.

View the advanced section on Ajax Spider to learn more about how to further fine-tune the results of the Ajax Spider.

Attacking the App

The application should be explored before starting to scan for security vulnerabilities. If you haven't done that look at the explore section on how to explore the web application. The following section provides examples on how to use the Passive and Active Scanner to find security vulnerabilities in the application.

Using Passive Scan

public class PassiveScan {

    private static final int ZAP_PORT = 8080;
    private static final String ZAP_API_KEY = null;
    private static final String ZAP_ADDRESS = "localhost";

    public static void main(String[] args) {
        ClientApi api = new ClientApi(ZAP_ADDRESS, ZAP_PORT, ZAP_API_KEY);
        int numberOfRecords;

        try {
            // TODO : explore the app (Spider, etc) before using the Passive Scan API, Refer the explore section for details
            // Loop until the passive scan has finished
            while (true) {
                Thread.sleep(2000);
                api.pscan.recordsToScan();
                numberOfRecords = Integer.parseInt(((ApiResponseElement) api.pscan.recordsToScan()).getValue());
                System.out.println("Number of records left for scanning : " + numberOfRecords);
                if (numberOfRecords == 0) {
                    break;
                }
            }
            System.out.println("Passive Scan completed");

            // Print Passive scan results/alerts
            System.out.println("Alerts:");
            System.out.println(new String(api.core.xmlreport(), StandardCharsets.UTF_8));

        } catch (Exception e) {
            System.out.println("Exception : " + e.getMessage());
            e.printStackTrace();
        }
    }
}
#!/usr/bin/env python
import time
from pprint import pprint
from zapv2 import ZAPv2

apiKey = 'changeme'
target = 'https://public-firing-range.appspot.com'
zap = ZAPv2(apikey=apiKey, proxies={'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'})

# TODO : explore the app (Spider, etc) before using the Passive Scan API, Refer the explore section for details
while int(zap.pscan.records_to_scan) > 0:
    # Loop until the passive scan has finished
    print('Records to passive scan : ' + zap.pscan.records_to_scan)
    time.sleep(2)

print('Passive Scan completed')

# Print Passive scan results/alerts
print('Hosts: {}'.format(', '.join(zap.core.hosts)))
print('Alerts: ')
pprint(zap.core.alerts())
# To view the number of records left to be scanned
$ curl "http://localhost:8080/JSON/pscan/view/recordsToScan/?apikey=<ZAP_API_KEY>"

# To view the alerts of passive scan
$ curl "http://localhost:8080/JSON/core/view/alerts/?apikey=<ZAP_API_KEY>&baseurl=<TARGET_URL>&start=0&count=10"

All requests that are proxied through ZAP or initialised by tools like the Spider are passively scanned. You do not have to manually start the passive scan process, ZAP by default passively scans all HTTP and WebSocket messages (requests and responses)
which are sent to the application.

Passive scanning does not change the requests nor the responses in any way and is therefore safe to use. This is good for finding problems like missing security headers or missing anti CSRF tokens but is no good for finding vulnerabilities like XSS which require malicious requests to be sent - that's the job of the active scanner.

View the Status

As the records are passively scanned it will take additional time to complete the full scan. After the crawling is completed use the recordsToScan API to obtain the number of records left to be scanned. After the scanning has completed the alerts can be obtained via the alerts endpoint(s).

View the advanced section to know how to configure additional parameters of Passive Scan.

Using Active Scan

Active scanning attempts to find potential vulnerabilities by using known attacks against the selected targets. Active scanning is an attack on those targets. You should NOT use it on applications that you do not have permission to.

Start Active Scanner

public class ActiveScan {

    private static final int ZAP_PORT = 8080;
    private static final String ZAP_API_KEY = null;
    private static final String ZAP_ADDRESS = "localhost";
    private static final String TARGET = "https://public-firing-range.appspot.com";

    public static void main(String[] args) {

        ClientApi api = new ClientApi(ZAP_ADDRESS, ZAP_PORT, ZAP_API_KEY);

        try {
            // TODO : explore the app (Spider, etc) before using the Active Scan API, Refer the explore section
            System.out.println("Active Scanning target : " + TARGET);
            ApiResponse resp = api.ascan.scan(TARGET, "True", "False", null, null, null);
            String scanid;
            int progress;

            // The scan now returns a scan id to support concurrent scanning
            scanid = ((ApiResponseElement) resp).getValue();
            // Poll the status until it completes
            while (true) {
                Thread.sleep(5000);
                progress =
                        Integer.parseInt(
                                ((ApiResponseElement) api.ascan.status(scanid)).getValue());
                System.out.println("Active Scan progress : " + progress + "%");
                if (progress >= 100) {
                    break;
                }
            }

            System.out.println("Active Scan complete");
            // Print vulnerabilities found by the scanning
            System.out.println("Alerts:");
            System.out.println(new String(api.core.xmlreport(), StandardCharsets.UTF_8));

        } catch (Exception e) {
            System.out.println("Exception : " + e.getMessage());
            e.printStackTrace();
        }
    }
}
#!/usr/bin/env python
import time
from pprint import pprint
from zapv2 import ZAPv2

apiKey = 'changeme'
target = 'https://public-firing-range.appspot.com'
zap = ZAPv2(apikey=apiKey, proxies={'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'})

# TODO : explore the app (Spider, etc) before using the Active Scan API, Refer the explore section
print('Active Scanning target {}'.format(target))
scanID = zap.ascan.scan(target)
while int(zap.ascan.status(scanID)) < 100:
    # Loop until the scanner has finished
    print('Scan progress %: {}'.format(zap.ascan.status(scanID)))
    time.sleep(5)

print('Active Scan completed')
# Print vulnerabilities found by the scanning
print('Hosts: {}'.format(', '.join(zap.core.hosts)))
print('Alerts: ')
pprint(zap.core.alerts(baseurl=target))
# To start the the active scan
$ curl "http://localhost:8080/JSON/ascan/action/scan/?apikey=<ZAP_API_KEY>&url=<TARGET_URL>&recurse=true&inScopeOnly=&scanPolicyName=&method=&postData=&contextId="

# To view the the status of active scan
$ curl "http://localhost:8080/JSON/ascan/view/status/?apikey=<ZAP_API_KEY>&scanId=<SCAN_ID>"

# To view the alerts of active scan
$ curl "http://localhost:8080/JSON/core/view/alerts/?apikey=<ZAP_API_KEY>&baseurl=<TARGET_URL>&start=0&count=10"

# To stop the active scan
$ curl "http://localhost:8080/JSON/ascan/action/stop/?apikey=<ZAP_API_KEY>&scanId=<SCAN_ID>"

The scan endpoint runs the active scanner against the given URL or Context. Optionally, the 'recurse' parameter can be used to scan URLs under the given URL, the parameter 'inScopeOnly' can be used to constrain the scan to URLs that are in scope (ignored if a Context is specified). The parameter 'scanPolicyName' allows to specify the scan policy (if none is given it uses the default scan policy). The parameters 'method' and 'postData' allow to select a given request in conjunction with the given URL.

View advanced settings to learn, how to configure the context, scope, and scan policy with ZAP APIs.

View Status

The status API provides the percentage of scanning done by the active scanner. The scan ID returned via starting the Active Scan should be used to query the status of the scanner.

View Results

Similar to the passive scan results, the active scan results can be viewed using the same alerts endpoint(s). The alerts endpoint(s) will show the consolidated results of Passive and Active Scan.

Stop Active Scanning

Use the stop API to stop a long running active scan. Optionally you can use the stopAllScans endpoints or pause endpoint to stop and pause the active scanning.

It should be noted that active scanning can only find certain types of vulnerabilities. Logical vulnerabilities, such as broken access control, will not be found by any active or automated vulnerability scanning. Manual penetration testing should always be performed in addition to active scanning to find all types of vulnerabilities.

Getting the Results

#!/usr/bin/env python
from zapv2 import ZAPv2

# The URL of the application to be tested
target = 'https://public-firing-range.appspot.com'
# Change to match the API key set in ZAP, or use None if the API key is disabled
apiKey = 'changeMe'

# By default ZAP API client will connect to port 8080
zap = ZAPv2(apikey=apiKey)
# Use the line below if ZAP is not listening on port 8080, for example, if listening on port 8090
# zap = ZAPv2(apikey=apiKey, proxies={'http': 'http://127.0.0.1:8090', 'https': 'http://127.0.0.1:8090'})

# TODO: Check if the scanning has completed

# Retrieve the alerts using paging in case there are lots of them
st = 0
pg = 5000
alert_dict = {}
alert_count = 0
alerts = zap.alert.alerts(baseurl=target, start=st, count=pg)
blacklist = [1,2]
while len(alerts) > 0:
    print('Reading ' + str(pg) + ' alerts from ' + str(st))
    alert_count += len(alerts)
    for alert in alerts:
        plugin_id = alert.get('pluginId')
        if plugin_id in blacklist:
            continue
        if alert.get('risk') == 'High':
            # Trigger any relevant postprocessing
            continue
        if alert.get('risk') == 'Informational':
            # Ignore all info alerts - some of them may have been downgraded by security annotations
            continue
    st += pg
    alerts = zap.alert.alerts(start=st, count=pg)
print('Total number of alerts: ' + str(alert_count))
public class Alerts {

    private static final String ZAP_ADDRESS = "localhost";
    private static final int ZAP_PORT = 8080;
    // Change to match the API key set in ZAP, or use NULL if the API key is disabled
    private static final String ZAP_API_KEY = "change me";
    // The URL of the application to be tested
    private static final String TARGET = "https://public-firing-range.appspot.com";

    private static List<String> blackListPlugins = Arrays.asList("1000", "1025");


    public static void main(String[] args) {
        ClientApi api = new ClientApi(ZAP_ADDRESS, ZAP_PORT, ZAP_API_KEY);

        try {
            // TODO: Check if the scanning has completed

            // Retrieve the alerts using paging in case there are lots of them
            int start = 0;
            int count = 5000;
            int alertCount = 0;
            ApiResponse resp = api.alert.alerts(TARGET, String.valueOf(start), String.valueOf(count), null);

            while (((ApiResponseList) resp).getItems().size() != 0) {
                System.out.println("Reading " + count + " alerts from " + start);
                alertCount += ((ApiResponseList) resp).getItems().size();

                for (ApiResponse l : (((ApiResponseList) resp).getItems())) {

                    Map<String, ApiResponse> element = ((ApiResponseSet) l).getValuesMap();
                    if (blackListPlugins.contains(element.get("pluginId").toString())) {
                        // TODO: Trigger any relevant postprocessing
                    } else if ("High".equals(element.get("risk").toString())) {
                        // TODO: Trigger any relevant postprocessing
                    } else if ("Informational".equals(element.get("risk").toString())) {
                        // TODO: Ignore all info alerts - some of them may have been downgraded by security annotations
                    }
                }
                start += count;
                resp = api.alert.alerts(TARGET, String.valueOf(start), String.valueOf(count), null);
            }
            System.out.println("Total number of Alerts: " + alertCount);

        } catch (Exception e) {
            System.out.println("Exception : " + e.getMessage());
            e.printStackTrace();
        }
    }
}
# To view the alerts
$ curl "http://localhost:8080/JSON/alert/view/alerts/?apikey=<ZAP_API_KEY>&baseurl=<BASE_URL>&start=0&count=5000&riskId="

# To view the summary of the alerts
$ curl "http://localhost:8080/JSON/alert/view/alertsSummary/?apikey=<ZAP_API_KEY>baseurl=<BASE_URL>"

# To view alerts by risk category
$ curl "http://localhost:8080/JSON/alert/view/alertsByRisk/?apikey=<ZAP_API_KEY>&url=<BASE_URL>&recurse="

After the scanning (Active/Passive) completes, ZAP provides the security vulnerabilities in the form of alerts. The alerts are categorized into high-priority, medium-priority, low-priority and informational priority risks. The priority indicates the degree of risk associated with each alert. For example, a high priority risk means that the issues listed in that category has more threat or risk potential than a medium-priority alert.

The alerts endpoint provides all the alerts which are identified by ZAP. View the sample code on the right to retrieve the alerts from the alerts endpoint. The results can be used to raise security alerts in the CI/CD pipeline or to trigger any custom workflows.

alert_sample

The alerts summary gets the number of alerts grouped by each risk level and optionally filtering by URL. A Summary report can be also generated using the core module. Use the htmlreport or jsonreport or xmlreport endpoint to generate this summary report. The following image shows the report generated via the HTML report API. The report categories the alerts to risk level and provides a brief description about each alert.

html report

Getting Authenticated

The target application for testing might have a portion of the functionality that is only available for a logged-in user. In order to get full test coverage of the application you need to test the application with a logged-in user as well. Therefore it's very important to understand how to perform authenticated scans with ZAP. ZAP has several means to authenticate your application and keep track of the authentication state. The following are some of the options available for authentication with ZAP.

The examples below show three authentication workflows. A simple form-based authentication is showcased with the use of the Bodgeit application. The second example shows the script-based authentication using the Damn Vulnerable Web Application(DVWA). The third example shows a more complicated authentication workflow using the JSON and script-based authentication using the OWASP Juice Shop.

General Steps

The following are the general steps when configuring the application authentication with ZAP.

Step 1. Define a context

Contexts are a way of relating a set of URLs together. The URLs are defined as a set of regular expressions (regex). You should include the target application inside the context. The unwanted URLs such as the logout page, password change functionality should be added to the exclude in context section.

Step 2. Set the authentication mechanism

Choose the appropriate login mechanism for your application. If your application supports a simple form-based login, then choose the form-based authentication method. For complex login workflows, you can use the script-based login to define custom authentication workflows.

Step 3. Define your auth parameters

In general, you need to provide the settings on how to communicate to the authentication service of your application. In general, the settings would include the login URL and payload format (username & password). The required parameters will be different for different authentication methods.

Step 4. Set relevant logged in/out indicators

ZAP additionally needs hints to identify whether the application is authenticated or not. To verify the authentication status, ZAP supports logged in/out regexes. These are regex patterns that you should configure to match strings in the responses which indicate if the user is logged in or logged out.

Step 5. Add a valid user and password

Add a user account (an existing user in your application) with valid credentials in ZAP. You can create multiple users if your application exposes different functionality based on user roles. Additionally, you should also set valid session management when configuring the authentication for your application. Currently, ZAP supports cookie-based session management and HTTP authentication based session management.

Step 6. Enable forced user mode (Optional)

Now enable the "Forced User Mode disabled - click to enable" button. Pressing this button will cause ZAP to resend the authentication request whenever it detects that the user is no longer logged in, ie by using the 'logged in' or 'logged out' indicator. But the forced user mode is ignored for scans that already have a user set.

Form Based Authentication

#!/usr/bin/env python
import urllib.parse
from zapv2 import ZAPv2

context_id = 1
apikey = 'changeMe'
context_name = 'Default Context'
target_url = 'http://localhost:8090/bodgeit'

# By default ZAP API client will connect to port 8080
zap = ZAPv2(apikey=apikey)


# Use the line below if ZAP is not listening on port 8080, for example, if listening on port 8090
# zap = ZAPv2(apikey=apikey, proxies={'http': 'http://127.0.0.1:8090', 'https': 'http://127.0.0.1:8090'})

def set_include_in_context():
    exclude_url = 'http://localhost:8090/bodgeit/logout.jsp'
    include_url = 'http://localhost:8090/bodgeit.*'
    zap.context.include_in_context(context_name, include_url)
    zap.context.exclude_from_context(context_name, exclude_url)
    print('Configured include and exclude regex(s) in context')


def set_logged_in_indicator():
    logged_in_regex = '\Q<a href="logout.jsp">Logout</a>\E'
    zap.authentication.set_logged_in_indicator(context_id, logged_in_regex)
    print('Configured logged in indicator regex: ')


def set_form_based_auth():
    login_url = 'http://localhost:8090/bodgeit/login.jsp'
    login_request_data = 'username={%username%}&password={%password%}'
    form_based_config = 'loginUrl=' + urllib.parse.quote(login_url) + '&loginRequestData=' + urllib.parse.quote(login_request_data)
    zap.authentication.set_authentication_method(context_id, 'formBasedAuthentication', form_based_config)
    print('Configured form based authentication')


def set_user_auth_config():
    user = 'Test User'
    username = '[email protected]'
    password = 'weakPassword'

    user_id = zap.users.new_user(context_id, user)
    user_auth_config = 'username=' + urllib.parse.quote(username) + '&password=' + urllib.parse.quote(password)
    zap.users.set_authentication_credentials(context_id, user_id, user_auth_config)
    zap.users.set_user_enabled(context_id, user_id, 'true')
    zap.forcedUser.set_forced_user(context_id, user_id)
    zap.forcedUser.set_forced_user_mode_enabled('true')
    print('User Auth Configured')
    return user_id


def start_spider(user_id):
    zap.spider.scan_as_user(context_id, user_id, target_url, recurse='true')
    print('Started Scanning with Authentication')


set_include_in_context()
set_form_based_auth()
set_logged_in_indicator()
user_id_response = set_user_auth_config()
start_spider(user_id_response)

public class FormAuth {

    private static final String ZAP_ADDRESS = "localhost";
    private static final int ZAP_PORT = 8080;
    private static final String ZAP_API_KEY = null;
    private static final String contextId = "1";
    private static final String contextName = "Default Context";
    private static final String target = "http://localhost:8090/bodgeit";

    private static void setIncludeAndExcludeInContext(ClientApi clientApi) throws UnsupportedEncodingException, ClientApiException {
        String includeInContext = "http://localhost:8090/bodgeit.*";
        String excludeInContext = "http://localhost:8090/bodgeit/logout.jsp";

        clientApi.context.includeInContext(contextName, includeInContext);
        clientApi.context.excludeFromContext(contextName, excludeInContext);
    }


    private static void setLoggedInIndicator(ClientApi clientApi) throws UnsupportedEncodingException, ClientApiException {
        // Prepare values to set, with the logged in indicator as a regex matching the logout link
        String loggedInIndicator = "<a href=\"logout.jsp\">Logout</a>";

        // Actually set the logged in indicator
        clientApi.authentication.setLoggedInIndicator(contextId, java.util.regex.Pattern.quote(loggedInIndicator));

        // Check out the logged in indicator that is set
        System.out.println("Configured logged in indicator regex: "
                + ((ApiResponseElement) clientApi.authentication.getLoggedInIndicator(contextId)).getValue());
    }

    private static void setFormBasedAuthenticationForBodgeit(ClientApi clientApi) throws ClientApiException,
            UnsupportedEncodingException {
        // Setup the authentication method

        String loginUrl = "http://localhost:8090/bodgeit/login.jsp";
        String loginRequestData = "username={%username%}&password={%password%}";

        // Prepare the configuration in a format similar to how URL parameters are formed. This
        // means that any value we add for the configuration values has to be URL encoded.
        StringBuilder formBasedConfig = new StringBuilder();
        formBasedConfig.append("loginUrl=").append(URLEncoder.encode(loginUrl, "UTF-8"));
        formBasedConfig.append("&loginRequestData=").append(URLEncoder.encode(loginRequestData, "UTF-8"));

        System.out.println("Setting form based authentication configuration as: "
                + formBasedConfig.toString());
        clientApi.authentication.setAuthenticationMethod(contextId, "formBasedAuthentication",
                formBasedConfig.toString());

        // Check if everything is set up ok
        System.out
                .println("Authentication config: " + clientApi.authentication.getAuthenticationMethod(contextId).toString(0));
    }

    private static String setUserAuthConfigForBodgeit(ClientApi clientApi) throws ClientApiException, UnsupportedEncodingException {
        // Prepare info
        String user = "Test User";
        String username = "[email protected]";
        String password = "weakPassword";

        // Make sure we have at least one user
        String userId = extractUserId(clientApi.users.newUser(contextId, user));

        // Prepare the configuration in a format similar to how URL parameters are formed. This
        // means that any value we add for the configuration values has to be URL encoded.
        StringBuilder userAuthConfig = new StringBuilder();
        userAuthConfig.append("username=").append(URLEncoder.encode(username, "UTF-8"));
        userAuthConfig.append("&password=").append(URLEncoder.encode(password, "UTF-8"));

        System.out.println("Setting user authentication configuration as: " + userAuthConfig.toString());
        clientApi.users.setAuthenticationCredentials(contextId, userId, userAuthConfig.toString());
        clientApi.users.setUserEnabled(contextId, userId, "true");
        clientApi.forcedUser.setForcedUser(contextId, userId);
        clientApi.forcedUser.setForcedUserModeEnabled(true);

        // Check if everything is set up ok
        System.out.println("Authentication config: " + clientApi.users.getUserById(contextId, userId).toString(0));
        return userId;
    }

    private static String extractUserId(ApiResponse response) {
        return ((ApiResponseElement) response).getValue();
    }

    private static void scanAsUser(ClientApi clientApi, String userId) throws ClientApiException {
        clientApi.spider.scanAsUser(contextId, userId, target, null, "true", null);
    }

    /**
     * The main method.
     *
     * @param args the arguments
     * @throws ClientApiException
     * @throws UnsupportedEncodingException
     */
    public static void main(String[] args) throws ClientApiException, UnsupportedEncodingException {
        ClientApi clientApi = new ClientApi(ZAP_ADDRESS, ZAP_PORT, ZAP_API_KEY);

        setIncludeAndExcludeInContext(clientApi);
        setFormBasedAuthenticationForBodgeit(clientApi);
        setLoggedInIndicator(clientApi);
        String userId = setUserAuthConfigForBodgeit(clientApi);
        scanAsUser(clientApi, userId);
    }
}
# To include in default context
curl 'http://localhost:8080/JSON/context/action/includeInContext/?contextName=Default+Context&regex=http%3A%2F%2Flocalhost%3A8090%2Fbodgeit.*'

# Set login details (URL Encoded)
curl 'http://localhost:8080/JSON/authentication/action/setAuthenticationMethod/?contextId=1&authMethodName=formBasedAuthentication&authMethodConfigParams=loginUrl%3Dhttp%3A%2F%2Flocalhost%3A8090%2Fbodgeit%2Flogin.jsp%26loginRequestData%3Dusername%253D%257B%2525username%2525%257D%2526password%253D%257B%2525password%2525%257D'

# To set the login indicator
curl 'http://localhost:8080/JSON/authentication/action/setLoggedInIndicator/?contextId=1&loggedInIndicatorRegex=%5CQ%3Ca+href%3D%22logout.jsp%22%3ELogout%3C%2Fa%3E%5CE'

# To create a user (The first user id is: 0)
curl 'http://localhost:8080/JSON/users/action/newUser/?contextId=1&name=Test+User'

# To add the credentials for the user
curl 'http://localhost:8080/JSON/users/action/setAuthenticationCredentials/?contextId=1&userId=0&authCredentialsConfigParams=username%3Dtest%40example.com%26password%3DweakPassword'

# To enable the user
curl 'http://localhost:8080/JSON/users/action/setUserEnabled/?contextId=1&userId=0&enabled=true'

# To set forced user
curl 'http://localhost:8080/JSON/forcedUser/action/setForcedUser/?contextId=1&userId=0'

# To enable forced user mode
curl 'http://localhost:8080/JSON/forcedUser/action/setForcedUserModeEnabled/?boolean=true'

The following example performs a simple form-based authentication using the Bodgeit vulnerable application. It's recommended that you configure the authentication via the desktop UI before attempting the APIs.

Setup Target Application

Bodgeit uses a simple form-based authentication to authenticate the users to the application. Use the following command to start a docker instance of the Bodgeit application: docker run --rm -p 8090:8080 -i -t psiinon/bodgeit

Register a User

Register a user in the application by navigating to the following URL: http://localhost:8090/bodgeit/register.jsp. For the purpose of this example, use the following credentials.

Login

After registering the user, browse (proxied via ZAP) to the following URL (http://localhost:8090/bodgeit/login.jsp), and log in to the application. When you log in to the application, the request will be added to the History tab in ZAP. Search for the POST request to the following URL: http://localhost:8090/bodgeit/login.jsp. Right-click on the post request, and select Flag as Context -> Default Context : Form based Login Request option. This will open the context authentication editor. You can notice it has auto-selected the form-based authentication, auto-filled the login URL, and the post data. Select the correct form parameter as the username and password in the dropdown and click Ok.

Now you need to inform ZAP whether the application is logged in or out. The Bodgeit application includes the logout URL <a href="logout.jsp">Logout</a> as the successful response. You can view this by navigating to the response tab of the login request. Highlight the text and right click and select the Flag as Context -> Default Context, Loggedin Indicator option. This will autofill the regex needed for the login indicator. The following image shows the completed set up for the authentication tab of the context menu.

auth

Now let's add the user credentials by going to the context -> users -> Add section. After adding the credentials, enable the "Forced User" mode in the desktop UI to forcefully authenticate the user prior to the testing of the application.

Now let's test the authentication by performing an authenticated Spidering with ZAP. To accomplish this, go to the Spider and select the default context and the test user to perform the authentication. After this, you should see the Spider crawling all the protected resources.

Steps to Reproduce via API

If you have configured the authentication via the desktop UI, then export the context and import it using the importContext API. Otherwise follow the steps below to configure the authentication setting for the context.

Include in Context

In order to proceed with authentication, the URL of the application should be added to the context. As Bodgeit is available via http://localhost:8090/bodgeit use the includeInContext API to add the URL to a context.

Set Authentication Method

Use the setAuthenticationMethod to set up the authentication method and the configuration parameters. The setAuthenticationMethod takes contextId, authMethodName, and authMethodConfigParams as parameters. As Bodgeit uses the form-based authentication, use formBasedAuthentication for the authMethodName and use the contextID from Step 1 as the contextId parameter.

The authMethodConfigParams requires the loginUrl and loginRequestData. Therefore you should set the values to authMethodConfigParams in the following format:

authMethodConfigParams : loginUrl=http://localhost:8090/bodgeit/login.jsp&loginRequestData=username%3D%7B%25username%25%7D%26password%3D%7B%25password%25%7D

The values for authMethodConfigParams parameters must be URL encoded, in this case loginRequestData is username={%username%}&password={%password%}.

Set Login and Logout Indicators

Use the setLoggedOutIndicator to set the logout indicators of the application. The Following is the regex command to match the successful response with the Bodgeit application. \Q<a href=\"logout.jsp\"></a>\E

Create User and Enable Forced User Mode

Now add the user credentials via the setAuthenticationCredentials API and use the SetForcedUserModeEnabled to enable the forced user mode in ZAP.

Script Based Authentication

#!/usr/bin/env python
import urllib.parse
from zapv2 import ZAPv2

context_id = 1
apikey = 'changeMe'
context_name = 'Default Context'
target_url = 'http://localhost:3000'

# By default ZAP API client will connect to port 8080
zap = ZAPv2(apikey=apikey)

# Use the line below if ZAP is not listening on port 8080, for example, if listening on port 8090
# zap = ZAPv2(apikey=apikey, proxies={'http': 'http://127.0.0.1:8090', 'https': 'http://127.0.0.1:8090'})


def set_include_in_context():
    include_url = 'http://localhost:3000.*'

    zap.context.include_in_context(context_name, include_url)

    zap.context.exclude_from_context(context_name, '\\Qhttp://localhost:3000/login.php\\E')
    zap.context.exclude_from_context(context_name, '\\Qhttp://localhost:3000/logout.php\\E')
    zap.context.exclude_from_context(context_name, '\\Qhttp://localhost:3000/setup.php\\E')
    zap.context.exclude_from_context(context_name, '\\Qhttp://localhost:3000/security.php\\E')
    print('Configured include and exclude regex(s) in context')


def set_logged_in_indicator():

    logged_in_regex = "\\Q<a href=\"logout.php\">Logout</a>\\E"
    logged_out_regex = "(?:Location: [./]*login\\.php)|(?:\\Q<form action=\"login.php\" method=\"post\">\\E)"

    zap.authentication.set_logged_in_indicator(context_id, logged_in_regex)
    zap.authentication.set_logged_out_indicator(context_id, logged_out_regex)
    print('Configured logged in indicator regex ')


def set_script_based_auth():
    post_data = "username={%username%}&password={%password%}" + "&Login=Login&user_token={%user_token%}"
    post_data_encoded = urllib.parse.quote(post_data)
    login_request_data = "scriptName=auth-dvwa.js&Login_URL=http://localhost:3000/login.php&CSRF_Field=user_token" \
                         "&POST_Data=" + post_data_encoded

    zap.authentication.set_authentication_method(context_id, 'scriptBasedAuthentication', login_request_data)
    print('Configured script based authentication')


def set_user_auth_config():
    user = 'Administrator'
    username = 'admin'
    password = 'password'

    user_id = zap.users.new_user(context_id, user)
    user_auth_config = 'Username=' + urllib.parse.quote(username) + '&Password=' + urllib.parse.quote(password)
    zap.users.set_authentication_credentials(context_id, user_id, user_auth_config)
    zap.users.set_user_enabled(context_id, user_id, 'true')
    zap.forcedUser.set_forced_user(context_id, user_id)
    zap.forcedUser.set_forced_user_mode_enabled('true')
    print('User Auth Configured')
    return user_id


def upload_script():
    script_name = 'auth-dvwa.js'
    script_type = 'authentication'
    script_engine = 'Oracle Nashorn'
    file_name = '/tmp/auth-dvwa.js'
    charset = 'UTF-8'
    zap.script.load(script_name, script_type, script_engine, file_name, charset=charset)


def start_spider(user_id):
    zap.spider.scan_as_user(context_id, user_id, target_url, recurse='true')
    print('Started Scanning with Authentication')


set_include_in_context()
upload_script()
set_script_based_auth()
set_logged_in_indicator()
user_id_response = set_user_auth_config()
start_spider(user_id_response)
public class ScriptAuth {

    private static final String ZAP_ADDRESS = "localhost";
    private static final int ZAP_PORT = 8080;
    private static final String ZAP_API_KEY = null;
    private static final String contextId = "1";
    private static final String contextName = "Default Context";
    private static final String target = "http://localhost:3000";
    private static void setIncludeAndExcludeInContext(ClientApi clientApi) throws UnsupportedEncodingException, ClientApiException {
        String includeInContext = "http://localhost:3000.*";
        clientApi.context.includeInContext(contextName, includeInContext);
        clientApi.context.excludeFromContext(contextName, "\\Qhttp://localhost:3000/login.php\\E");
        clientApi.context.excludeFromContext(contextName, "\\Qhttp://localhost:3000/logout.php\\E");
        clientApi.context.excludeFromContext(contextName, "\\Qhttp://localhost:3000/setup.php\\E");
        clientApi.context.excludeFromContext(contextName, "\\Qhttp://localhost:3000/security.php\\E");
    }
    private static void setLoggedInIndicator(ClientApi clientApi) throws UnsupportedEncodingException, ClientApiException {
        // Prepare values to set, with the logged in indicator as a regex matching the logout link
        String loggedInIndicator = "\\Q<a href=\"logout.php\">Logout</a>\\E";
        String loggedOutIndicator = "(?:Location: [./]*login\\.php)|(?:\\Q<form action=\"login.php\" method=\"post\">\\E)";
        // Actually set the logged in indicator
        clientApi.authentication.setLoggedInIndicator( contextId, loggedInIndicator);
        clientApi.authentication.setLoggedOutIndicator( contextId, loggedOutIndicator);
        // Check out the logged in indicator that is set
        System.out.println("Configured logged in indicator regex: "
                + ((ApiResponseElement) clientApi.authentication.getLoggedInIndicator(contextId)).getValue());
    }
    private static void setScriptBasedAuthenticationForDVWA(ClientApi clientApi) throws ClientApiException,
            UnsupportedEncodingException {
        String postData = "username={%username%}&password={%password%}" + "&Login=Login&user_token={%user_token%}";
        String postDataEncode = URLEncoder.encode(postData, "UTF-8");
        String sb = ("scriptName=auth-dvwa.js&Login_URL=http://localhost:3000/login.php&CSRF_Field=user_token&")
                .concat("POST_Data=").concat(postDataEncode);

        clientApi.authentication.setAuthenticationMethod(contextId, "scriptBasedAuthentication", sb.toString());
        System.out.println("Authentication config: " + clientApi.authentication.getAuthenticationMethod(contextId).toString(0));
    }
    private static String setUserAuthConfigForDVWA(ClientApi clientApi) throws ClientApiException, UnsupportedEncodingException {
        // Prepare info
        String user = "Admin";
        String username = "admin";
        String password = "password";

        // Make sure we have at least one user
        String userId = extractUserId(clientApi.users.newUser(contextId, user));

        // Prepare the configuration in a format similar to how URL parameters are formed. This
        // means that any value we add for the configuration values has to be URL encoded.
        StringBuilder userAuthConfig = new StringBuilder();
        userAuthConfig.append("Username=").append(URLEncoder.encode(username, "UTF-8"));
        userAuthConfig.append("&Password=").append(URLEncoder.encode(password, "UTF-8"));

        System.out.println("Setting user authentication configuration as: " + userAuthConfig.toString());
        clientApi.users.setAuthenticationCredentials(contextId, userId, userAuthConfig.toString());
        clientApi.users.setUserEnabled(contextId, userId, "true");
        clientApi.forcedUser.setForcedUser(contextId, userId);
        clientApi.forcedUser.setForcedUserModeEnabled(true);

        // Check if everything is set up ok
        System.out.println("Authentication config: " + clientApi.users.getUserById(contextId, userId).toString(0));
        return userId;
    }
    private static void uploadScript(ClientApi clientApi) throws ClientApiException {
        String script_name = "auth-dvwa.js";
        String script_type = "authentication";
        String script_engine = "Oracle Nashorn";
        String file_name = "/tmp/auth-dvwa.js";
        clientApi.script.load(script_name, script_type, script_engine, file_name, null);
    }
    private static String extractUserId(ApiResponse response) {
        return ((ApiResponseElement) response).getValue();
    }
    private static void scanAsUser(ClientApi clientApi, String userId) throws ClientApiException {
        clientApi.spider.scanAsUser(contextId, userId, target, null, "true", null);
    }
    /**
     * The main method.
     *
     * @param args the arguments
     * @throws ClientApiException
     * @throws UnsupportedEncodingException
     */
    public static void main(String[] args) throws ClientApiException, UnsupportedEncodingException {
        ClientApi clientApi = new ClientApi(ZAP_ADDRESS, ZAP_PORT, ZAP_API_KEY);
        uploadScript(clientApi);
        setIncludeAndExcludeInContext(clientApi);
        setScriptBasedAuthenticationForDVWA(clientApi);
        setLoggedInIndicator(clientApi);
        String userId = setUserAuthConfigForDVWA(clientApi);
        scanAsUser(clientApi, userId);
    }
}

# To add in default context
curl 'http://localhost:8080/JSON/context/action/includeInContext/?contextName=Default+Context&regex=http%3A%2F%2Flocalhost%3A3000.*'

# To add exclude in context
curl 'http://localhost:8080/JSON/context/action/excludeFromContext/?contextName=Default+Context&regex=%5CQhttp%3A%2F%2Flocalhost%3A3000%2Flogout.php%5CE'

# To upload the script
curl 'http://localhost:8080/JSON/script/action/load/?scriptName=auth-dvwa.js&scriptType=authentication&scriptEngine=Oracle+Nashorn&fileName=%2Ftmp%2Fauth-dvwa.js&scriptDescription=&charset='

# To set up authentication information
curl 'http://localhost:8080/JSON/authentication/action/setAuthenticationMethod/?contextId=1&authMethodName=scriptBasedAuthentication&authMethodConfigParams=scriptName%3Dauth-dvwa.js%26Login_URL%3Dhttp%3A%2F%2Flocalhost%3A3000%2Flogin.php%26CSRF_Field%3Duser_token%26POST_Data%3Dusername%253D%257B%2525username%2525%257D%2526password%253D%257B%2525password%2525%257D%2526Login%253DLogin%2526user_token%253D%257B%2525user_token%2525%257D'

# To set the login indicator
curl 'http://localhost:8080/JSON/authentication/action/setLoggedInIndicator/?contextId=1&loggedInIndicatorRegex=%5CQ%3Ca+href%3D%5C%22logout.php%5C%22%3ELogout%3C%2Fa%3E%5CE'

# To set logged out indicator
curl 'http://localhost:8080/JSON/authentication/action/setLoggedOutIndicator/?contextId=1&loggedOutIndicatorRegex=%28%3F%3ALocation%3A+%5B.%2F%5D*login%5C.php%29%7C%28%3F%3A%5CQ%3Cform+action%3D%22login.php%22+method%3D%22post%22%3E%5CE%29'

# To create a user (The first user id is: 0)
curl 'http://localhost:8080/JSON/users/action/newUser/?contextId=1&name=Test+User'

# To add the credentials for the user
curl 'http://localhost:8080/JSON/users/action/setAuthenticationCredentials/?contextId=1&userId=0&authCredentialsConfigParams=Username%3Dadmin%26Password%3Dpassword'

# To enable the user
curl 'http://localhost:8080/JSON/users/action/setUserEnabled/?contextId=1&userId=0&enabled=true'

# To set forced user
curl 'http://localhost:8080/JSON/forcedUser/action/setForcedUser/?contextId=1&userId=0'

# To enable forced user mode
curl 'http://localhost:8080/JSON/forcedUser/action/setForcedUserModeEnabled/?boolean=true'

ZAP has scripting support for most of the popular languages. The following are some of the scripting languages supported by ZAP.

ZAP has an Add-on Marketplace where you can get add-ons for additional scripting engines. Click the red, blue, & green box stacked icon in ZAP to bring up the marketplace modal. After it pops up, switch to the Marketplace and install the appropriate scripting engine.

The following example performs a script based authentication for the Damn Vulnerable Web Application. Similar to the Bodgeit example DVWA also uses POST request to authenticate the users. But apart from username and password DVWA sends an additional token to protect against the Cross-Site request forgery attacks. This token is obtained from the landing page. The following image shows the embedded token in the login page.

csrf_token

If the token is not included with the login script as a POST parameter, the request will be rejected. In order to send this token, lets use the script based authentication technique. The authentication script will parse the HTML content and extract the token and append it in the POST request.

Setup Target Application

Use the following docker command to start the DVWA. In order to fully complete the setup you need to login (http://localhost:3000) to the application and press the configure button. Use the default credentials of the application to login and finish the setup (Username: admin, Password: password).

docker run --rm -it -p 3000:80 vulnerables/web-dvwa

Create the Script

Go to the Scripts tab and create a new Authentication script. Provide a name to the script and select JavaScript/Nashorn as the engine and replace the script contents with the following script.

script_tab

Configure Context Authentication

Now navigate to http://localhost:3000 and add the URL to the default context. Then double click on the default context and select the script-based authentication as the authentication method. Now load the script from the drop down provided and the following parameter values.

context_auth

Now add the default admin user to the users tab and enable the user.

As the login operation is performed by the script lets add the login URL as out of context. Additionally you should add pages which will disrupt the login process to out of context. For example, by not excluding the logout URL, the Spider will trigger unwanted logouts (ex.: logoff/password change, etc.). Therefore, add the following regex(s) to the "Exclude from Context" tab.

Now you can enable the forced user mode and start the Spider or manually select the admin user for the Spider scan. If you have selected the forced user mode and also manually selected a user; then the manually selected user/context will supersede the forced user mode. After this you should see the Spider crawling all the protected resources. The authentication results will be available through the Output panel and you can also select the login POST request in the History tab to verify the token has been sent to the application.

Steps to Reproduce via API

Use the scripts endpoint to upload the script file. Thereafter the configurations are very similar to the form based authentication with the Bodgeit application. Use the includeInContext API to add the URL to the default context and use the setAuthenticationMethod to setup the authentication method and the configuration parameters. Finally use the users API to create the admin user. Refer the script in the right column on how to use the above APIs.

JSON Based Authentication


#!/usr/bin/env python
import urllib.parse
from zapv2 import ZAPv2

context_id = 1
apiKey = 'changeMe'
context_name = 'Default Context'
target_url = 'http://localhost:3000'

# By default ZAP API client will connect to port 8080
zap = ZAPv2(apikey=apiKey)

# Use the line below if ZAP is not listening on port 8080, for example, if listening on port 8090
# zap = ZAPv2(apikey=apiKey, proxies={'http': 'http://127.0.0.1:8090', 'https': 'http://127.0.0.1:8090'})


def set_include_in_context():
    include_url = 'http://localhost:3000.*'
    zap.context.include_in_context(context_name, include_url)
    print('Configured include and exclude regex(s) in context')


def set_logged_in_indicator():
    logged_in_regex = '\Q<a href="logout.php">Logout</a>\E'
    logged_out_regex = '(?:Location: [./]*login\.php)|(?:\Q<form action="login.php" method="post">\E)'

    zap.authentication.set_logged_in_indicator(context_id, logged_in_regex)
    zap.authentication.set_logged_out_indicator(context_id, logged_out_regex)
    print('Configured logged in indicator regex: ')


def set_json_based_auth():
    login_url = "http://localhost:3000/rest/user/login"
    login_request_data = 'email={%username%}&password={%password%}'

    json_based_config = 'loginUrl=' + urllib.parse.quote(login_url) + '&loginRequestData=' + urllib.parse.quote(login_request_data)
    zap.authentication.set_authentication_method(context_id, 'jsonBasedAuthentication', json_based_config)
    print('Configured form based authentication')


def set_user_auth_config():
    user = 'Test User'
    username = '[email protected]'
    password = 'testtest'

    user_id = zap.users.new_user(context_id, user)
    user_auth_config = 'username=' + urllib.parse.quote(username) + '&password=' + urllib.parse.quote(password)
    zap.users.set_authentication_credentials(context_id, user_id, user_auth_config)


def add_script():
    script_name = 'jwtScript.js'
    script_type = 'httpsender'
    script_engine = 'Oracle Nashorn'
    file_name = '/tmp/jwtScript.js'
    zap.script.load(script_name, script_type, script_engine, file_name)


set_include_in_context()
add_script()
set_json_based_auth()
set_logged_in_indicator()
set_user_auth_config()
public class JSONAuth {

    private static final String ZAP_ADDRESS = "localhost";
    private static final int ZAP_PORT = 8090;
    private static final String ZAP_API_KEY = null;
    private static final String contextId = "1";
    private static final String target = "http://localhost:3000";

    private static void setJSONBasedAuthentication(ClientApi clientApi) throws ClientApiException, UnsupportedEncodingException {
        String loginUrl = "http://localhost:3000/rest/user/login";
        String loginRequestData = "username={%username%}&password={%password%}";

        // Prepare the configuration in a format similar to how URL parameters are formed. This
        // means that any value we add for the configuration values has to be URL encoded.
        StringBuilder jsonBasedConfig = new StringBuilder();
        jsonBasedConfig.append("loginUrl=").append(URLEncoder.encode(loginUrl, "UTF-8"));
        jsonBasedConfig.append("&loginRequestData=").append(URLEncoder.encode(loginRequestData, "UTF-8"));

        System.out.println("Setting JSON based authentication configuration as: " + jsonBasedConfig.toString());
        clientApi.authentication.setAuthenticationMethod(contextId, "jsonBasedAuthentication", jsonBasedConfig.toString());

        // Check if everything is set up ok
        System.out.println("Authentication config: " + clientApi.authentication.getAuthenticationMethod(contextId).toString(0));
    }

    private static String setUserAuthConfig(ClientApi clientApi) throws ClientApiException, UnsupportedEncodingException {
        // Prepare info
        String user = "Test User";
        String username = "[email protected]";
        String password = "testtest";

        // Make sure we have at least one user
        String userId = extractUserId(clientApi.users.newUser(contextId, user));

        // Prepare the configuration in a format similar to how URL parameters are formed. This
        // means that any value we add for the configuration values has to be URL encoded.
        StringBuilder userAuthConfig = new StringBuilder();
        userAuthConfig.append("username=").append(URLEncoder.encode(username, "UTF-8"));
        userAuthConfig.append("&password=").append(URLEncoder.encode(password, "UTF-8"));

        System.out.println("Setting user authentication configuration as: " + userAuthConfig.toString());
        clientApi.users.setAuthenticationCredentials(contextId, userId, userAuthConfig.toString());
        clientApi.users.setUserEnabled(contextId, userId, "true");
        clientApi.forcedUser.setForcedUser(contextId, userId);
        clientApi.forcedUser.setForcedUserModeEnabled(true);

        // Check if everything is set up ok
        System.out.println("Authentication config: " + clientApi.users.getUserById(contextId, userId).toString(0));
        return userId;
    }

    private static void addScript(ClientApi clientApi) throws ClientApiException {

        String script_name = "jwtScript.js";
        String script_type = "httpsender";
        String script_engine = "Oracle Nashorn";
        String file_name = "/tmp/authscript.js";

        clientApi.script.load(script_name, script_type, script_engine, file_name, null);
    }

    private static void scanAsUser(ClientApi clientApi, String userId) throws ClientApiException {
        clientApi.spider.scanAsUser(contextId, userId, target, null, "true", null);
    }

    private static String extractUserId(ApiResponse response) {
        return ((ApiResponseElement) response).getValue();
    }

    /**
     * The main method.
     *
     * @param args the arguments
     * @throws ClientApiException
     * @throws UnsupportedEncodingException
     */
    public static void main(String[] args) throws ClientApiException, UnsupportedEncodingException {
        ClientApi clientApi = new ClientApi(ZAP_ADDRESS, ZAP_PORT, ZAP_API_KEY);

        addScript(clientApi);
        setJSONBasedAuthentication(clientApi);
        String userId = setUserAuthConfig(clientApi);
        scanAsUser(clientApi, userId);
    }
}

# To add the script
curl 'http://localhost:8080/JSON/script/action/load/?scriptName=authscript.js&scriptType=authentication&scriptEngine=Oracle+Nashorn&fileName=%2Ftmp%2Fauthscript.js&scriptDescription=&charset=UTF-8'

# To set up authentication information
curl 'http://localhost:8080/JSON/authentication/action/setAuthenticationMethod/?contextId=1&authMethodName=scriptBasedAuthentication&authMethodConfigParams=scriptName%3Dauthscript.js%26Login+URL%3Dhttp%3A%2F%2Flocalhost%3A3000%2Flogin.php%26CSRF+Field%3Duser_token%26POST+Data%3Dusername%3D%7B%25username%25%7D%26password%3D%7B%25password%25%7D%26Login%3DLogin%26user_token%3D%7B%25user_token%25%7D'

# To set the login indicator
curl 'http://localhost:8080/JSON/authentication/action/setLoggedInIndicator/?contextId=1&loggedInIndicatorRegex=%5CQ%3Ca+href%3D%22logout.jsp%22%3ELogout%3C%2Fa%3E%5CE'

# To create a user (The first user id is: 0)
curl 'http://localhost:8080/JSON/users/action/newUser/?contextId=1&name=Test+User'

# To add the credentials for the user
curl 'http://localhost:8080/JSON/users/action/setAuthenticationCredentials/?contextId=1&userId=0&authCredentialsConfigParams=username%3Dtest%40example.com%26password%3DweakPassword'

# To enable the user
curl 'http://localhost:8080/JSON/users/action/setUserEnabled/?contextId=1&userId=0&enabled=true'

# To set forced user
curl 'http://localhost:8080/JSON/forcedUser/action/setForcedUser/?contextId=1&userId=0'

# To enable forced user mode
curl 'http://localhost:8080/JSON/forcedUser/action/setForcedUserModeEnabled/?boolean=true'

The following example performs a script based authentication for the OWASP Juice Shop. Juice Shop is a modern application and it contrary to the previous examples the protected resources are accessed by sending an authorization header(JSON web token).

Setup Target Application

Use the following docker command to start the OWASP Juice Shop.

docker run -d -p 3000:3000 bkimminich/juice-shop

Register User

Register a user in the application by navigating to the following URL: http://localhost:3000/#/register. For the purpose of this example, use the following information.

Login

After registering the user, browse (proxied via ZAP) to the following URL (http://localhost:3000/#/login) and login to the application. When you login to the application the request will be added to the History tab in ZAP. Search for the POST request to the following URL: http://localhost:3000/rest/user/login. Right-click on the POST request, and select Flag as Context -> Default Context : JSON-based Auth Login Request option. This will open the context authentication editor. You can notice it has auto selected the JSON-based authentication, auto-filled the login URL and the post data. Select the correct JSON attribute as the username and password in the dropdown and click Ok. The following image shows the completed setup for the authentication tab of the context menu.

json based authentication

Exit the context editor and go back to the login request. You will notice in the login response headers there is no set cookie. In the response body you will find the response data.

The request that follows is GET http://localhost:3000/rest/user/whoami which you will notice has a header called Authorization which uses the token from the response body of the login request. In body of the response, you should see some info about your user: {"user":{"id":1,"email":"[email protected]"}}. If you visit that url directly, with your browser, the content of the page is {"user":{}} - the Authorization header is not added to request and it is not authenticated.

This request is initiated as a client side AJAX request using a spec called JWT. Currently ZAP doesn't have a notion of the Authorization header for sessions so this is where ZAPs scripting engine will come into play! With ZAP's scripting engine, we can easily add to or augment it's functionality.

Add the Script

Now in the left sidebar next to the Sites click + to add Scripts. This will bring into focus in the sidebar. Drill into Scripting > Scripts > HTTP Sender. Then right click on the HTTP Sender and with that context menu click New Script. Name the script jwtScript.js and set the Script Engine to ECMAScript (do not check the box that says enable).

json authentication script

Now that we have that script setup, let's test it out! Go ahead and visit the login page http://localhost:3000/#/login with the browser launched with ZAP and use your test account to login. After you login, back in ZAP in the Script Console tab you should see a message that says Capturing token for JWT.

Now visit http://localhost:3000/rest/user/whoami directly in the browser and you will see you get JSON data with the user {"user":{"id":9,"email":"[email protected]"}}! Back in the Script Console you will see the script went ahead and added the header!

Now that we have a script ensuring we have the right headers & cookies for authentication, let's go ahead and try spidering the application again! So let's use the same settings we used earlier from the AJAX Spider Settings. Once the scan starts, check out the browser running the scan - you'll notice the user is logged in! (Logout & Your Basket links visible). Now the AJAX Spider will pick up some new paths that it couldn't find before!

Steps to Reproduce via API

Use the scripts endpoint to add the script file. Thereafter the configurations are very similar to the form based authentication with the Bodgeit application. Use the includeInContext API to add the URL to the default context
and use the setAuthenticationMethod to setup the authentication method and the configuration parameters. Finally use the users API to create the admin user. Refer the script in the right column on how to use the above APIs.

Advanced Settings

The following section shows advanced configurations of the APIs.

Spider Settings

The following image shows the advanced configurations tab of Spider in the desktop UI.

spider_advanced

Use the setOptionMaxDepth API to set the maximum depth the spider can crawl, where 0 refers to unlimited depth. The setOptionMaxChildren API sets the maximum number of child nodes (per node) that can be crawled, where 0 means no limit. The setOptionMaxDuration API can be used to set the maximum duration the Spider will run. Use the setOptionMaxParseSizeBytes API to limit the amount of data parsed by the spider. This allows the spider to skip big responses/files.

View the Spider section in the API Catalogue for additional APIs.

Ajax Spider Settings

The following image shows the advanced configurations tab of Ajax Spider in the desktop UI.

ajax_spider_advanced

Similar to the Spider API, the Ajax spider also provides APIs to set the maximum depth, crawl state, and maximum duration.

Passive Scan Settings

The scanning rules can be enabled/disabled using the enableScanners and disableScanners APIs. Also use the setScanOnlyInScope API to limit the passive scanning to a scope. View the advanced section to learn how to configure a context or scope using ZAP APIs.

Passive scanning can also be used to automatically add tags and raise alerts for potential issues. A set of rules for automatic tagging are provided by default. These can be changed, deleted or added to via the Options Passive Scan Tags Screen.

Active Scan Settings

General Options

The general options for Active Scan can be configured using the options tab in the desktop UI shown below.

options

Use the setOptionMaxScanDurationInMins API to limit the duration of scan and setOptionMaxRuleDurationInMins API to limit the time of individual active scan rules. This can be used to prevent rules from running for an excessive amount of time.

Use the setOptionHostPerScan API to set the maximum number of hosts that will be scanned at the same time. Furthermore, use the setOptionThreadPerHost API to set the number of threads the scanner will use per host. Increasing both of these values will reduce the active scanning time but this may put extra strain on the server ZAP is running on.

Use the setOptionDelayInMs API to delay each request from ZAP in milliseconds. Setting this to a non zero value will increase the time an active scan takes, but will put less of a strain on the target host. View the Active Scan section in the API Catalogue for additional information regarding the APIs.

Input Vectors

Input vectors refers to the elements that Active Scan will target. Specifying the exact elements to target will improve the scanning time and accuracy of the results. For example, for the following configuration the optionTargetParamsInjectable and optionTargetParamsEnabledRPC will yield the results of 11 and 39. The numbers can be deconstructed in the following manner:

input_vectors_code

Thus, to change the values of Injectable targets and Input Vector Handlers calculate the exact values and use the setoptiontargetparamsinjectable and setoptiontargetparamsenabledrpc APIs accordingly.

The Add URL query parameter option under the Injectable Tragets sets whether or not the active scanner should add a query param to GET requests which do not have parameters to start with. This option can be enabled using the setoptionaddqueryparam API.

Technology

technology

The Technology tab allows you to specify which types of technologies to scan. Un-selecting technologies that you know are not present in the target application may speed up the scan, as rules which target that technology can skip those tests. For an example, if the target web application does not have a database then removing it will increase the performance of the Active Scan.

Use the includeContextTechnologies and excludeContextTechnologies API endpoints to include and exclude the technology list from the context.

Policy

A scan policy defines exactly which rules are run as part of an active scan. It also defines how these rules run influencing how many requests are made and how likely potential issues are to be flagged. You can define as many scan policies as you like and select the most appropriate one when you start the scan via the Active Scan.

policy

The Policy tab shown in the above image allows you to override any of the settings specified in the selected scan policy.

Contributions Welcome!

Contributions are welcome! There are many ways you can contribute to ZAP, both as a user and as a developer.

1. Creating High-level API/Automation Docs

Create high level docs or example guides on how to use the APIs to perform any action/view with ZAP. The source files for the ZAP API documentation is hosted on GitHub. The repository is available at Github. The source files are in Markdown (md) format.

2. REST API Documentation

ZAP's rest API is documented using the OpenAPI specification. The specification could be improved by enhancing the description of parameters/ results/ data types etc. The open API specification is available via GitHub.

3. Feature Documentation

Feature documentation related to ZAP is available on ZAP wiki, ZAP user guide, and ZAP extensions repositories.

How to Contribute

The ZAP API documentation is developed according to the docs as code philosophy. The most direct and effective way to contribute to the docs is to submit a pull request(PR) or raise an issue in the GitHub repository containing the docs content that you want to change.

There are 2 different workflows which you can use to make changes or PRs. Use what you are most comfortable with!

1. "Edit this File on GitHub"

You can edit the documentation in the browser via navigating to the relevant source file and clicking the edit this file button. This workflow is recommended for minor changes. For example correcting typos/spellings/grammar etc. For extensive changes, please use the local setup and editing option.

2. Local Setup and Editing

You can fork the repository on GitHub and submit the changes via pull requests. Please see the local setup for API docs section to setup and render the docs locally.

Local Setup for API Docs

ZAP uses git for its code repository. To submit a documentation update, use the following steps:

1. Clone the ZAP Docs repository: git clone https://github.com/zaproxy/zap-api-docs

2. Navigate to the cloned repository: cd zap-api-docs

3. Use the following guide to install Ruby

4. To install the dependencies: $ bundle install

5. To start the server: $ bundle exec middleman server

Documentation Style

This style guide provides a set of editorial guidelines for anyone writing documentation for ZAP.

General Guidelines

Language and Grammar

Formatting

Punctuation

Markdown Syntax

The API docs are created using standard markdown files. This section contains information regarding the syntax and linting of the Markdown files. Refer to the Slate documentation. Also refer to this document to properly lint the Markdown files.

Writing Code

Inline Code

Put `backticks` around the following symbols when used in text:

Code Block

Use three back ticks to open and close a code block. Specify the programming language after the first backtick group. The documentation currently supports python, java, and shell languages.

code_example

Troubleshooting

This section explains how to troubleshoot issues that might occur when interacting with the ZAP API.

Enable Useful Dev Options

While developing scripts/programs that interact with ZAP API it's recommended that the following ZAP API options are enabled, to have more information about possible errors:

The API response will then contain the details about why the API request was rejected or was not successful.

Common Errors

Wrong API Key or Address Not Allowed

//org.zaproxy.clientapi.core.ClientApiException: java.net.SocketException: Unexpected end of file from server
//  at org.zaproxy.clientapi.core.ClientApi.callApiDom(ClientApi.java:366)
//  at org.zaproxy.clientapi.core.ClientApi.callApi(ClientApi.java:350)
//  at org.zaproxy.clientapi.gen.Spider.scan(Spider.java:242)
requests.exceptions.ProxyError: HTTPConnectionPool(host='127.0.0.1', port=8080): Max retries exceeded with 
url: http://zap/JSON/spider/action/scan/?apikey=changeMe&url=https%3A%2F%2Fexample.com 
(Caused by ProxyError('Cannot connect to proxy.', RemoteDisconnected('Remote end closed connection without response')))

By default, ZAP will close the connection without a response if an API request is not from an allowed address or the API key is wrong. If you get exceptions similar to the following ensure that the API client is using the correct API key and that the address is allowed.

No Connection to ZAP

//org.zaproxy.clientapi.core.ClientApiException: java.net.ConnectException: Connection refused: connect
//  at org.zaproxy.clientapi.core.ClientApi.callApiDom(ClientApi.java:366)
//  at org.zaproxy.clientapi.core.ClientApi.callApi(ClientApi.java:350)
//  at org.zaproxy.clientapi.gen.Spider.scan(Spider.java:242)
//  at ZAP_tests.Spider.main(Spider.java:25)
requests.exceptions.ProxyError: HTTPConnectionPool(host='127.0.0.1', port=8080): Max retries exceeded with 
url: http://zap/JSON/spider/action/scan/?apikey=changeMe&url=https%3A%2F%2Fexample.com 
(Caused by ProxyError('Cannot connect to proxy.', NewConnectionError('<urllib3.connection.HTTPConnection object at 
0x101be78e0>: Failed to establish a new connection: [Errno 61] Connection refused')))

There are several reasons that the API client might not be able to connect to ZAP:

Error: No Implementor

If you come across the No Implementor Error while invoking the APIs: Check the necessary add-on or component is installed and enabled. (For example if you receive "no_implementor" in relation to Ajax Spider calls, perhaps the Ajax Spider add-on isn't installed.)

API Catalogue

Scroll down for code samples, example requests and responses. Select a language for code samples from the tabs above or the mobile navigation menu.

The HTTP API for controlling and accessing ZAP.

Base URLs:

Email: ZAP User Group Web: ZAP User Group License: Apache 2.0

undefined

accessControl

accessControlActionScan

Code samples

# You can also use wget
curl -X GET http://zap/JSON/accessControl/action/scan/?contextId=string&userId=string \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/accessControl/action/scan/?contextId=string&userId=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/accessControl/action/scan/', params={
  'contextId': 'string',  'userId': 'string'
}, headers = headers)

print(r.json())

GET /JSON/accessControl/action/scan/

Starts an Access Control scan with the given context ID and user ID. (Optional parameters: user ID for Unauthenticated user, boolean identifying whether or not Alerts are raised, and the Risk level for the Alerts.) [This assumes the Access Control rules were previously established via ZAP gui and the necessary Context exported/imported.]

Parameters

Name In Type Required Description
contextId query string true none
userId query string true none
scanAsUnAuthUser query string false none
raiseAlert query string false none
alertRiskLevel query string false none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

accessControlActionWriteHTMLreport

Code samples

# You can also use wget
curl -X GET http://zap/JSON/accessControl/action/writeHTMLreport/?contextId=string&fileName=string \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/accessControl/action/writeHTMLreport/?contextId=string&fileName=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/accessControl/action/writeHTMLreport/', params={
  'contextId': 'string',  'fileName': 'string'
}, headers = headers)

print(r.json())

GET /JSON/accessControl/action/writeHTMLreport/

Generates an Access Control report for the given context ID and saves it based on the provided filename (path).

Parameters

Name In Type Required Description
contextId query string true none
fileName query string true none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

accessControlViewGetScanProgress

Code samples

# You can also use wget
curl -X GET http://zap/JSON/accessControl/view/getScanProgress/?contextId=string \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/accessControl/view/getScanProgress/?contextId=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/accessControl/view/getScanProgress/', params={
  'contextId': 'string'
}, headers = headers)

print(r.json())

GET /JSON/accessControl/view/getScanProgress/

Gets the Access Control scan progress (percentage integer) for the given context ID.

Parameters

Name In Type Required Description
contextId query string true none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

accessControlViewGetScanStatus

Code samples

# You can also use wget
curl -X GET http://zap/JSON/accessControl/view/getScanStatus/?contextId=string \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/accessControl/view/getScanStatus/?contextId=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/accessControl/view/getScanStatus/', params={
  'contextId': 'string'
}, headers = headers)

print(r.json())

GET /JSON/accessControl/view/getScanStatus/

Gets the Access Control scan status (description string) for the given context ID.

Parameters

Name In Type Required Description
contextId query string true none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

acsrf

acsrfActionAddOptionToken

Code samples

# You can also use wget
curl -X GET http://zap/JSON/acsrf/action/addOptionToken/?String=string \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/acsrf/action/addOptionToken/?String=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/acsrf/action/addOptionToken/', params={
  'String': 'string'
}, headers = headers)

print(r.json())

GET /JSON/acsrf/action/addOptionToken/

Adds an anti-CSRF token with the given name, enabled by default

Parameters

Name In Type Required Description
String query string true none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

acsrfActionRemoveOptionToken

Code samples

# You can also use wget
curl -X GET http://zap/JSON/acsrf/action/removeOptionToken/?String=string \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/acsrf/action/removeOptionToken/?String=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/acsrf/action/removeOptionToken/', params={
  'String': 'string'
}, headers = headers)

print(r.json())

GET /JSON/acsrf/action/removeOptionToken/

Removes the anti-CSRF token with the given name

Parameters

Name In Type Required Description
String query string true none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

acsrfActionSetOptionPartialMatchingEnabled

Code samples

# You can also use wget
curl -X GET http://zap/JSON/acsrf/action/setOptionPartialMatchingEnabled/?Boolean=true \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/acsrf/action/setOptionPartialMatchingEnabled/?Boolean=true");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/acsrf/action/setOptionPartialMatchingEnabled/', params={
  'Boolean': 'true'
}, headers = headers)

print(r.json())

GET /JSON/acsrf/action/setOptionPartialMatchingEnabled/

Define if ZAP should detect CSRF tokens by searching for partial matches.

Parameters

Name In Type Required Description
Boolean query boolean true none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

acsrfOtherGenForm

Code samples

# You can also use wget
curl -X GET http://zap/OTHER/acsrf/other/genForm/?hrefId=string \
  -H 'Accept: */*'

URL obj = new URL("http://zap/OTHER/acsrf/other/genForm/?hrefId=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': '*/*'
}

r = requests.get('http://zap/OTHER/acsrf/other/genForm/', params={
  'hrefId': 'string'
}, headers = headers)

print(r.content)

GET /OTHER/acsrf/other/genForm/

Generate a form for testing lack of anti-CSRF tokens - typically invoked via ZAP

Parameters

Name In Type Required Description
hrefId query string true Define which request will be used
actionUrl query string false Define the action URL to be used in the generated form

Example responses

Responses

Status Meaning Description Schema
default Default Error of OTHER endpoints. None

Response Schema

acsrfViewOptionPartialMatchingEnabled

Code samples

# You can also use wget
curl -X GET http://zap/JSON/acsrf/view/optionPartialMatchingEnabled/ \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/acsrf/view/optionPartialMatchingEnabled/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/acsrf/view/optionPartialMatchingEnabled/', headers = headers)

print(r.json())

GET /JSON/acsrf/view/optionPartialMatchingEnabled/

Define if ZAP should detect CSRF tokens by searching for partial matches

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

acsrfViewOptionTokensNames

Code samples

# You can also use wget
curl -X GET http://zap/JSON/acsrf/view/optionTokensNames/ \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/acsrf/view/optionTokensNames/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/acsrf/view/optionTokensNames/', headers = headers)

print(r.json())

GET /JSON/acsrf/view/optionTokensNames/

Lists the names of all anti-CSRF tokens

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ajaxSpider

ajaxSpiderActionAddAllowedResource

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/action/addAllowedResource/?regex=string \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ajaxSpider/action/addAllowedResource/?regex=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ajaxSpider/action/addAllowedResource/', params={
  'regex': 'string'
}, headers = headers)

print(r.json())

GET /JSON/ajaxSpider/action/addAllowedResource/

Adds an allowed resource.

Parameters

Name In Type Required Description
regex query string true The regular expression of the allowed resource.
enabled query string false If the allowed resource should be enabled or not.

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ajaxSpiderActionAddExcludedElement

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/action/addExcludedElement/?contextName=string&description=string&element=string \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ajaxSpider/action/addExcludedElement/?contextName=string&description=string&element=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ajaxSpider/action/addExcludedElement/', params={
  'contextName': 'string',  'description': 'string',  'element': 'string'
}, headers = headers)

print(r.json())

GET /JSON/ajaxSpider/action/addExcludedElement/

Adds an excluded element to a context.

Parameters

Name In Type Required Description
contextName query string true The name of the context.
description query string true The description of the excluded element.
element query string true The element to exclude.
xpath query string false The XPath of the element.
text query string false The text of the element.
attributeName query string false The attribute name of the element.
attributeValue query string false The attribute value of the element.
enabled query string false The enabled state, true or false.

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ajaxSpiderActionModifyExcludedElement

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/action/modifyExcludedElement/?contextName=string&description=string&element=string \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ajaxSpider/action/modifyExcludedElement/?contextName=string&description=string&element=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ajaxSpider/action/modifyExcludedElement/', params={
  'contextName': 'string',  'description': 'string',  'element': 'string'
}, headers = headers)

print(r.json())

GET /JSON/ajaxSpider/action/modifyExcludedElement/

Modifies an excluded element of a context.

Parameters

Name In Type Required Description
contextName query string true The name of the context.
description query string true The description of the excluded element.
element query string true The element to exclude.
descriptionNew query string false The new description.
xpath query string false The XPath of the element.
text query string false The text of the element.
attributeName query string false The attribute name of the element.
attributeValue query string false The attribute value of the element.
enabled query string false The enabled state, true or false.

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ajaxSpiderActionRemoveAllowedResource

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/action/removeAllowedResource/?regex=string \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ajaxSpider/action/removeAllowedResource/?regex=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ajaxSpider/action/removeAllowedResource/', params={
  'regex': 'string'
}, headers = headers)

print(r.json())

GET /JSON/ajaxSpider/action/removeAllowedResource/

Removes an allowed resource.

Parameters

Name In Type Required Description
regex query string true The regular expression of the allowed resource.

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ajaxSpiderActionRemoveExcludedElement

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/action/removeExcludedElement/?contextName=string&description=string \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ajaxSpider/action/removeExcludedElement/?contextName=string&description=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ajaxSpider/action/removeExcludedElement/', params={
  'contextName': 'string',  'description': 'string'
}, headers = headers)

print(r.json())

GET /JSON/ajaxSpider/action/removeExcludedElement/

Removes an excluded element from a context.

Parameters

Name In Type Required Description
contextName query string true The name of the context.
description query string true The description of the excluded element.

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ajaxSpiderActionScan

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/action/scan/ \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ajaxSpider/action/scan/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ajaxSpider/action/scan/', headers = headers)

print(r.json())

GET /JSON/ajaxSpider/action/scan/

Runs the AJAX Spider against a given target.

Parameters

Name In Type Required Description
url query string false The starting URL (needs to include the 'scheme').
inScope query string false A boolean (true/false) indicating whether or not the scan should be restricted to 'inScope' only resources (default value is false).
contextName query string false The name for any defined context. If the value does not match a defined context then an error will occur.
subtreeOnly query string false A boolean (true/false) indicating whether or not the crawl should be constrained to a specific path (default value is false).

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ajaxSpiderActionScanAsUser

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/action/scanAsUser/?contextName=string&userName=string \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ajaxSpider/action/scanAsUser/?contextName=string&userName=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ajaxSpider/action/scanAsUser/', params={
  'contextName': 'string',  'userName': 'string'
}, headers = headers)

print(r.json())

GET /JSON/ajaxSpider/action/scanAsUser/

Runs the AJAX Spider from the perspective of a User of the web application.

Parameters

Name In Type Required Description
contextName query string true The name for any defined context. If the value does not match a defined context then an error will occur.
userName query string true The name of the user to be used when crawling. The "userName" should be previously defined on the context configuration.
url query string false The starting URL (needs to include the 'scheme').
subtreeOnly query string false A boolean (true/false) indicating whether or not the crawl should be constrained to a specific path (default value is false).

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ajaxSpiderActionSetEnabledAllowedResource

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/action/setEnabledAllowedResource/?regex=string&enabled=string \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ajaxSpider/action/setEnabledAllowedResource/?regex=string&enabled=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ajaxSpider/action/setEnabledAllowedResource/', params={
  'regex': 'string',  'enabled': 'string'
}, headers = headers)

print(r.json())

GET /JSON/ajaxSpider/action/setEnabledAllowedResource/

Sets whether or not an allowed resource is enabled.

Parameters

Name In Type Required Description
regex query string true The regular expression of the allowed resource.
enabled query string true If the allowed resource should be enabled or not.

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ajaxSpiderActionSetOptionBrowserId

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/action/setOptionBrowserId/?String=string \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ajaxSpider/action/setOptionBrowserId/?String=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ajaxSpider/action/setOptionBrowserId/', params={
  'String': 'string'
}, headers = headers)

print(r.json())

GET /JSON/ajaxSpider/action/setOptionBrowserId/

Sets the configuration of the AJAX Spider to use one of the supported browsers.

Parameters

Name In Type Required Description
String query string true The name of the browser to be used by the AJAX Spider. (See the Selenium add-on help for a list of supported browsers.)

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ajaxSpiderActionSetOptionClickDefaultElems

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/action/setOptionClickDefaultElems/?Boolean=true \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ajaxSpider/action/setOptionClickDefaultElems/?Boolean=true");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ajaxSpider/action/setOptionClickDefaultElems/', params={
  'Boolean': 'true'
}, headers = headers)

print(r.json())

GET /JSON/ajaxSpider/action/setOptionClickDefaultElems/

Sets whether or not the the AJAX Spider will only click on the default HTML elements.

Parameters

Name In Type Required Description
Boolean query boolean true A boolean (true/false) indicating if only default elements such as 'a' 'button' 'input' should be clicked (default is true).

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ajaxSpiderActionSetOptionClickElemsOnce

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/action/setOptionClickElemsOnce/?Boolean=true \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ajaxSpider/action/setOptionClickElemsOnce/?Boolean=true");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ajaxSpider/action/setOptionClickElemsOnce/', params={
  'Boolean': 'true'
}, headers = headers)

print(r.json())

GET /JSON/ajaxSpider/action/setOptionClickElemsOnce/

When enabled, the crawler attempts to interact with each element (e.g., by clicking) only once.

Parameters

Name In Type Required Description
Boolean query boolean true A boolean (true/false) indicating whether or not the AJAX Spider should only click on elements once. If this is set to false, the crawler will attempt to click multiple times; which is more rigorous but may take considerably more time (default is true).

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ajaxSpiderActionSetOptionEventWait

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/action/setOptionEventWait/?Integer=0 \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ajaxSpider/action/setOptionEventWait/?Integer=0");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ajaxSpider/action/setOptionEventWait/', params={
  'Integer': '0'
}, headers = headers)

print(r.json())

GET /JSON/ajaxSpider/action/setOptionEventWait/

Sets the time to wait after an event (in milliseconds). For example: the wait delay after the cursor hovers over an element, in order for a menu to display, etc.

Parameters

Name In Type Required Description
Integer query integer true The time that the AJAX Spider should wait for each event (default is 1000 milliseconds).

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ajaxSpiderActionSetOptionMaxCrawlDepth

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/action/setOptionMaxCrawlDepth/?Integer=0 \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ajaxSpider/action/setOptionMaxCrawlDepth/?Integer=0");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ajaxSpider/action/setOptionMaxCrawlDepth/', params={
  'Integer': '0'
}, headers = headers)

print(r.json())

GET /JSON/ajaxSpider/action/setOptionMaxCrawlDepth/

Sets the maximum depth that the crawler can reach.

Parameters

Name In Type Required Description
Integer query integer true The maximum depth that the crawler should explore (zero means unlimited depth, default is 10).

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ajaxSpiderActionSetOptionMaxCrawlStates

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/action/setOptionMaxCrawlStates/?Integer=0 \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ajaxSpider/action/setOptionMaxCrawlStates/?Integer=0");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ajaxSpider/action/setOptionMaxCrawlStates/', params={
  'Integer': '0'
}, headers = headers)

print(r.json())

GET /JSON/ajaxSpider/action/setOptionMaxCrawlStates/

Sets the maximum number of states that the crawler should crawl.

Parameters

Name In Type Required Description
Integer query integer true The maximum number of states that the AJAX Spider should explore (zero means unlimited crawl states, default is 0)

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ajaxSpiderActionSetOptionMaxDuration

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/action/setOptionMaxDuration/?Integer=0 \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ajaxSpider/action/setOptionMaxDuration/?Integer=0");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ajaxSpider/action/setOptionMaxDuration/', params={
  'Integer': '0'
}, headers = headers)

print(r.json())

GET /JSON/ajaxSpider/action/setOptionMaxDuration/

The maximum time that the crawler is allowed to run.

Parameters

Name In Type Required Description
Integer query integer true The maximum amount of time that the AJAX Spider is allowed to run (zero means unlimited running time, default is 60 minutes).

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ajaxSpiderActionSetOptionNumberOfBrowsers

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/action/setOptionNumberOfBrowsers/?Integer=0 \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ajaxSpider/action/setOptionNumberOfBrowsers/?Integer=0");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ajaxSpider/action/setOptionNumberOfBrowsers/', params={
  'Integer': '0'
}, headers = headers)

print(r.json())

GET /JSON/ajaxSpider/action/setOptionNumberOfBrowsers/

Sets the number of windows to be used by AJAX Spider.

Parameters

Name In Type Required Description
Integer query integer true The number of windows that the AJAX Spider can use. The more windows, the faster the process will be. However, more windows also means greater resource usage (CPU, Memory, etc), and could lead to concurrency issues depending on the app being explored (default is 1).

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ajaxSpiderActionSetOptionRandomInputs

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/action/setOptionRandomInputs/?Boolean=true \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ajaxSpider/action/setOptionRandomInputs/?Boolean=true");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ajaxSpider/action/setOptionRandomInputs/', params={
  'Boolean': 'true'
}, headers = headers)

print(r.json())

GET /JSON/ajaxSpider/action/setOptionRandomInputs/

When enabled, inserts random values into form fields.

Parameters

Name In Type Required Description
Boolean query boolean true A boolean (true/false) indicating whether or not random values should be use in form fields. Otherwise, empty values are submitted (default is true).

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ajaxSpiderActionSetOptionReloadWait

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/action/setOptionReloadWait/?Integer=0 \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ajaxSpider/action/setOptionReloadWait/?Integer=0");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ajaxSpider/action/setOptionReloadWait/', params={
  'Integer': '0'
}, headers = headers)

print(r.json())

GET /JSON/ajaxSpider/action/setOptionReloadWait/

Sets the time to wait after the page is loaded before interacting with it.

Parameters

Name In Type Required Description
Integer query integer true The number of milliseconds the AJAX Spider should wait after a page is loaded (default is 1000).

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ajaxSpiderActionStop

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/action/stop/ \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ajaxSpider/action/stop/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ajaxSpider/action/stop/', headers = headers)

print(r.json())

GET /JSON/ajaxSpider/action/stop/

Stops the AJAX Spider.

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ajaxSpiderViewAllowedResources

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/view/allowedResources/ \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ajaxSpider/view/allowedResources/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ajaxSpider/view/allowedResources/', headers = headers)

print(r.json())

GET /JSON/ajaxSpider/view/allowedResources/

Gets the allowed resources. The allowed resources are always fetched even if out of scope, allowing to include necessary resources (e.g. scripts) from 3rd-parties.

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ajaxSpiderViewExcludedElements

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/view/excludedElements/?contextName=string \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ajaxSpider/view/excludedElements/?contextName=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ajaxSpider/view/excludedElements/', params={
  'contextName': 'string'
}, headers = headers)

print(r.json())

GET /JSON/ajaxSpider/view/excludedElements/

Gets the excluded elements. The excluded elements are not clicked during crawling, for example, to prevent logging out.

Parameters

Name In Type Required Description
contextName query string true The name of the context.

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ajaxSpiderViewFullResults

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/view/fullResults/ \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ajaxSpider/view/fullResults/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ajaxSpider/view/fullResults/', headers = headers)

print(r.json())

GET /JSON/ajaxSpider/view/fullResults/

Gets the full crawled content detected by the AJAX Spider. Returns a set of values based on 'inScope' URLs, 'outOfScope' URLs, and 'errors' encountered during the last/current run of the AJAX Spider.

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ajaxSpiderViewNumberOfResults

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/view/numberOfResults/ \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ajaxSpider/view/numberOfResults/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ajaxSpider/view/numberOfResults/', headers = headers)

print(r.json())

GET /JSON/ajaxSpider/view/numberOfResults/

Gets the number of resources found.

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ajaxSpiderViewOptionBrowserId

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/view/optionBrowserId/ \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ajaxSpider/view/optionBrowserId/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ajaxSpider/view/optionBrowserId/', headers = headers)

print(r.json())

GET /JSON/ajaxSpider/view/optionBrowserId/

Gets the configured browser to use for crawling.

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ajaxSpiderViewOptionClickDefaultElems

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/view/optionClickDefaultElems/ \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ajaxSpider/view/optionClickDefaultElems/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ajaxSpider/view/optionClickDefaultElems/', headers = headers)

print(r.json())

GET /JSON/ajaxSpider/view/optionClickDefaultElems/

Gets the configured value for 'Click Default Elements Only', HTML elements such as 'a', 'button', 'input', all associated with some action or links on the page.

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ajaxSpiderViewOptionClickElemsOnce

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/view/optionClickElemsOnce/ \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ajaxSpider/view/optionClickElemsOnce/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ajaxSpider/view/optionClickElemsOnce/', headers = headers)

print(r.json())

GET /JSON/ajaxSpider/view/optionClickElemsOnce/

Gets the value configured for the AJAX Spider to know if it should click on the elements only once.

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ajaxSpiderViewOptionEventWait

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/view/optionEventWait/ \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ajaxSpider/view/optionEventWait/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ajaxSpider/view/optionEventWait/', headers = headers)

print(r.json())

GET /JSON/ajaxSpider/view/optionEventWait/

Gets the time to wait after an event (in milliseconds). For example: the wait delay after the cursor hovers over an element, in order for a menu to display, etc.

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ajaxSpiderViewOptionMaxCrawlDepth

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/view/optionMaxCrawlDepth/ \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ajaxSpider/view/optionMaxCrawlDepth/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ajaxSpider/view/optionMaxCrawlDepth/', headers = headers)

print(r.json())

GET /JSON/ajaxSpider/view/optionMaxCrawlDepth/

Gets the configured value for the max crawl depth.

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ajaxSpiderViewOptionMaxCrawlStates

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/view/optionMaxCrawlStates/ \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ajaxSpider/view/optionMaxCrawlStates/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ajaxSpider/view/optionMaxCrawlStates/', headers = headers)

print(r.json())

GET /JSON/ajaxSpider/view/optionMaxCrawlStates/

Gets the configured value for the maximum crawl states allowed.

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ajaxSpiderViewOptionMaxDuration

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/view/optionMaxDuration/ \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ajaxSpider/view/optionMaxDuration/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ajaxSpider/view/optionMaxDuration/', headers = headers)

print(r.json())

GET /JSON/ajaxSpider/view/optionMaxDuration/

Gets the configured max duration of the crawl, the value is in minutes.

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ajaxSpiderViewOptionNumberOfBrowsers

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/view/optionNumberOfBrowsers/ \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ajaxSpider/view/optionNumberOfBrowsers/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ajaxSpider/view/optionNumberOfBrowsers/', headers = headers)

print(r.json())

GET /JSON/ajaxSpider/view/optionNumberOfBrowsers/

Gets the configured number of browsers to be used.

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ajaxSpiderViewOptionRandomInputs

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/view/optionRandomInputs/ \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ajaxSpider/view/optionRandomInputs/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ajaxSpider/view/optionRandomInputs/', headers = headers)

print(r.json())

GET /JSON/ajaxSpider/view/optionRandomInputs/

Gets if the AJAX Spider will use random values in form fields when crawling, if set to true.

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ajaxSpiderViewOptionReloadWait

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/view/optionReloadWait/ \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ajaxSpider/view/optionReloadWait/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ajaxSpider/view/optionReloadWait/', headers = headers)

print(r.json())

GET /JSON/ajaxSpider/view/optionReloadWait/

Gets the configured time to wait after reloading the page, this value is in milliseconds.

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ajaxSpiderViewResults

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/view/results/ \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ajaxSpider/view/results/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ajaxSpider/view/results/', headers = headers)

print(r.json())

GET /JSON/ajaxSpider/view/results/

Gets the current results of the crawler.

Parameters

Name In Type Required Description
start query string false The position (or offset) within the results to use as a starting position for the information returned.
count query string false The number of results to return.

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ajaxSpiderViewStatus

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/view/status/ \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ajaxSpider/view/status/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ajaxSpider/view/status/', headers = headers)

print(r.json())

GET /JSON/ajaxSpider/view/status/

Gets the current status of the crawler. Actual values are Stopped and Running.

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

alert

alertActionAddAlert

Code samples

# You can also use wget
curl -X GET http://zap/JSON/alert/action/addAlert/?messageId=string&name=string&riskId=string&confidenceId=string&description=string \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/alert/action/addAlert/?messageId=string&name=string&riskId=string&confidenceId=string&description=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/alert/action/addAlert/', params={
  'messageId': 'string',  'name': 'string',  'riskId': 'string',  'confidenceId': 'string',  'description': 'string'
}, headers = headers)

print(r.json())

GET /JSON/alert/action/addAlert/

Add an alert associated with the given message ID, with the provided details. (The ID of the created alert is returned.)

Parameters

Name In Type Required Description
messageId query string true The ID of the message to which the alert should be associated.
name query string true The name of the alert.
riskId query string true The numeric risk representation ('0 - Informational' through '3 - High').
confidenceId query string true The numeric confidence representation ('1 - Low' through '3 - High' [user set values '0 - False Positive', and '4 - User Confirmed' are also available]).
description query string true The description to be set to the alert.
param query string false The name of the parameter applicable to the alert.
attack query string false The attack (ex: injected string) used by the scan rule.
otherInfo query string false Other information about the alert or test.
solution query string false The solution for the alert.
references query string false The reference details for the alert.
evidence query string false The evidence associated with the alert.
cweId query string false The CWE identifier associated with the alert.
wascId query string false The WASC identifier associated with the alert.

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

alertActionDeleteAlert

Code samples

# You can also use wget
curl -X GET http://zap/JSON/alert/action/deleteAlert/?id=string \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/alert/action/deleteAlert/?id=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/alert/action/deleteAlert/', params={
  'id': 'string'
}, headers = headers)

print(r.json())

GET /JSON/alert/action/deleteAlert/

Deletes the alert with the given ID.

Parameters

Name In Type Required Description
id query string true none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

alertActionDeleteAlerts

Code samples

# You can also use wget
curl -X GET http://zap/JSON/alert/action/deleteAlerts/ \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/alert/action/deleteAlerts/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/alert/action/deleteAlerts/', headers = headers)

print(r.json())

GET /JSON/alert/action/deleteAlerts/

Deletes all the alerts optionally filtered by URL which fall within the Context with the provided name, risk, or base URL.

Parameters

Name In Type Required Description
contextName query string false The name of the Context for which the alerts should be deleted.
baseurl query string false The highest URL in the Sites tree under which alerts should be deleted.
riskId query string false The numeric risk representation ('0 - Informational' through '3 - High').

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

alertActionDeleteAllAlerts

Code samples

# You can also use wget
curl -X GET http://zap/JSON/alert/action/deleteAllAlerts/ \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/alert/action/deleteAllAlerts/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/alert/action/deleteAllAlerts/', headers = headers)

print(r.json())

GET /JSON/alert/action/deleteAllAlerts/

Deletes all alerts of the current session.

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

alertActionUpdateAlert

Code samples

# You can also use wget
curl -X GET http://zap/JSON/alert/action/updateAlert/?id=string&name=string&riskId=string&confidenceId=string&description=string \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/alert/action/updateAlert/?id=string&name=string&riskId=string&confidenceId=string&description=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/alert/action/updateAlert/', params={
  'id': 'string',  'name': 'string',  'riskId': 'string',  'confidenceId': 'string',  'description': 'string'
}, headers = headers)

print(r.json())

GET /JSON/alert/action/updateAlert/

Update the alert with the given ID, with the provided details.

Parameters

Name In Type Required Description
id query string true The ID of the alert to update.
name query string true The name of the alert.
riskId query string true The numeric risk representation ('0 - Informational' through '3 - High').
confidenceId query string true The numeric confidence representation ('1 - Low' through '3 - High' [user set values '0 - False Positive', and '4 - User Confirmed' are also available]).
description query string true The description to be set to the alert.
param query string false The name of the parameter applicable to the alert.
attack query string false The attack (ex: injected string) used by the scan rule.
otherInfo query string false Other information about the alert or test.
solution query string false The solution for the alert.
references query string false The reference details for the alert.
evidence query string false The evidence associated with the alert.
cweId query string false The CWE identifier associated with the alert.
wascId query string false The WASC identifier associated with the alert.

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

alertActionUpdateAlertsConfidence

Code samples

# You can also use wget
curl -X GET http://zap/JSON/alert/action/updateAlertsConfidence/?ids=string&confidenceId=string \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/alert/action/updateAlertsConfidence/?ids=string&confidenceId=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/alert/action/updateAlertsConfidence/', params={
  'ids': 'string',  'confidenceId': 'string'
}, headers = headers)

print(r.json())

GET /JSON/alert/action/updateAlertsConfidence/

Update the confidence of the alerts.

Parameters

Name In Type Required Description
ids query string true The IDs of the alerts to update (comma separated values).
confidenceId query string true The numeric confidence representation ('1 - Low' through '3 - High' [user set values '0 - False Positive', and '4 - User Confirmed' are also available]).

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

alertActionUpdateAlertsRisk

Code samples

# You can also use wget
curl -X GET http://zap/JSON/alert/action/updateAlertsRisk/?ids=string&riskId=string \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/alert/action/updateAlertsRisk/?ids=string&riskId=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/alert/action/updateAlertsRisk/', params={
  'ids': 'string',  'riskId': 'string'
}, headers = headers)

print(r.json())

GET /JSON/alert/action/updateAlertsRisk/

Update the risk of the alerts.

Parameters

Name In Type Required Description
ids query string true The IDs of the alerts to update (comma separated values).
riskId query string true The numeric risk representation ('0 - Informational' through '3 - High').

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

alertViewAlert

Code samples

# You can also use wget
curl -X GET http://zap/JSON/alert/view/alert/?id=string \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/alert/view/alert/?id=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/alert/view/alert/', params={
  'id': 'string'
}, headers = headers)

print(r.json())

GET /JSON/alert/view/alert/

Gets the alert with the given ID, the corresponding HTTP message can be obtained with the 'messageId' field and 'message' API method

Parameters

Name In Type Required Description
id query string true none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

alertViewAlertCountsByRisk

Code samples

# You can also use wget
curl -X GET http://zap/JSON/alert/view/alertCountsByRisk/ \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/alert/view/alertCountsByRisk/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/alert/view/alertCountsByRisk/', headers = headers)

print(r.json())

GET /JSON/alert/view/alertCountsByRisk/

Gets a count of the alerts, optionally filtered as per alertsPerRisk

Parameters

Name In Type Required Description
url query string false none
recurse query string false none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

alertViewAlerts

Code samples

# You can also use wget
curl -X GET http://zap/JSON/alert/view/alerts/ \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/alert/view/alerts/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/alert/view/alerts/', headers = headers)

print(r.json())

GET /JSON/alert/view/alerts/

Gets the alerts raised by ZAP, optionally filtering by URL or riskId, and paginating with 'start' position and 'count' of alerts

Parameters

Name In Type Required Description
baseurl query string false The highest URL in the Sites tree under which alerts should be included.
start query string false none
count query string false none
riskId query string false none
contextName query string false Optionally, the Context name which the Alerts' URLs are associated with.

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

alertViewAlertsByRisk

Code samples

# You can also use wget
curl -X GET http://zap/JSON/alert/view/alertsByRisk/ \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/alert/view/alertsByRisk/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/alert/view/alertsByRisk/', headers = headers)

print(r.json())

GET /JSON/alert/view/alertsByRisk/

Gets a summary of the alerts, optionally filtered by a 'url'. If 'recurse' is true then all alerts that apply to urls that start with the specified 'url' will be returned, otherwise only those on exactly the same 'url' (ignoring url parameters)

Parameters

Name In Type Required Description
url query string false none
recurse query string false none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

alertViewAlertsSummary

Code samples

# You can also use wget
curl -X GET http://zap/JSON/alert/view/alertsSummary/ \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/alert/view/alertsSummary/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/alert/view/alertsSummary/', headers = headers)

print(r.json())

GET /JSON/alert/view/alertsSummary/

Gets number of alerts grouped by each risk level, optionally filtering by URL

Parameters

Name In Type Required Description
baseurl query string false The highest URL in the Sites tree under which alerts should be included.

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

alertViewNumberOfAlerts

Code samples

# You can also use wget
curl -X GET http://zap/JSON/alert/view/numberOfAlerts/ \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/alert/view/numberOfAlerts/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/alert/view/numberOfAlerts/', headers = headers)

print(r.json())

GET /JSON/alert/view/numberOfAlerts/

Gets the number of alerts, optionally filtering by URL or riskId

Parameters

Name In Type Required Description
baseurl query string false The highest URL in the Sites tree under which alerts should be included.
riskId query string false none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

alertFilter

alertFilterActionAddAlertFilter

Code samples

# You can also use wget
curl -X GET http://zap/JSON/alertFilter/action/addAlertFilter/?contextId=string&ruleId=string&newLevel=string \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/alertFilter/action/addAlertFilter/?contextId=string&ruleId=string&newLevel=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/alertFilter/action/addAlertFilter/', params={
  'contextId': 'string',  'ruleId': 'string',  'newLevel': 'string'
}, headers = headers)

print(r.json())

GET /JSON/alertFilter/action/addAlertFilter/

Adds a new alert filter for the context with the given ID.

Parameters

Name In Type Required Description
contextId query string true none
ruleId query string true none
newLevel query string true none
url query string false none
urlIsRegex query string false none
parameter query string false none
enabled query string false none
parameterIsRegex query string false none
attack query string false none
attackIsRegex query string false none
evidence query string false none
evidenceIsRegex query string false none
methods query string false none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

alertFilterActionAddGlobalAlertFilter

Code samples

# You can also use wget
curl -X GET http://zap/JSON/alertFilter/action/addGlobalAlertFilter/?ruleId=string&newLevel=string \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/alertFilter/action/addGlobalAlertFilter/?ruleId=string&newLevel=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/alertFilter/action/addGlobalAlertFilter/', params={
  'ruleId': 'string',  'newLevel': 'string'
}, headers = headers)

print(r.json())

GET /JSON/alertFilter/action/addGlobalAlertFilter/

Adds a new global alert filter.

Parameters

Name In Type Required Description
ruleId query string true none
newLevel query string true none
url query string false none
urlIsRegex query string false none
parameter query string false none
enabled query string false none
parameterIsRegex query string false none
attack query string false none
attackIsRegex query string false none
evidence query string false none
evidenceIsRegex query string false none
methods query string false none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

alertFilterActionApplyAll

Code samples

# You can also use wget
curl -X GET http://zap/JSON/alertFilter/action/applyAll/ \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/alertFilter/action/applyAll/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/alertFilter/action/applyAll/', headers = headers)

print(r.json())

GET /JSON/alertFilter/action/applyAll/

Applies all currently enabled Global and Context alert filters.

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

alertFilterActionApplyContext

Code samples

# You can also use wget
curl -X GET http://zap/JSON/alertFilter/action/applyContext/ \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/alertFilter/action/applyContext/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/alertFilter/action/applyContext/', headers = headers)

print(r.json())

GET /JSON/alertFilter/action/applyContext/

Applies all currently enabled Context alert filters.

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

alertFilterActionApplyGlobal

Code samples

# You can also use wget
curl -X GET http://zap/JSON/alertFilter/action/applyGlobal/ \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/alertFilter/action/applyGlobal/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/alertFilter/action/applyGlobal/', headers = headers)

print(r.json())

GET /JSON/alertFilter/action/applyGlobal/

Applies all currently enabled Global alert filters.

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

alertFilterActionRemoveAlertFilter

Code samples

# You can also use wget
curl -X GET http://zap/JSON/alertFilter/action/removeAlertFilter/?contextId=string&ruleId=string&newLevel=string \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/alertFilter/action/removeAlertFilter/?contextId=string&ruleId=string&newLevel=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/alertFilter/action/removeAlertFilter/', params={
  'contextId': 'string',  'ruleId': 'string',  'newLevel': 'string'
}, headers = headers)

print(r.json())

GET /JSON/alertFilter/action/removeAlertFilter/

Removes an alert filter from the context with the given ID.

Parameters

Name In Type Required Description
contextId query string true none
ruleId query string true none
newLevel query string true none
url query string false none
urlIsRegex query string false none
parameter query string false none
enabled query string false none
parameterIsRegex query string false none
attack query string false none
attackIsRegex query string false none
evidence query string false none
evidenceIsRegex query string false none
methods query string false none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

alertFilterActionRemoveGlobalAlertFilter

Code samples

# You can also use wget
curl -X GET http://zap/JSON/alertFilter/action/removeGlobalAlertFilter/?ruleId=string&newLevel=string \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/alertFilter/action/removeGlobalAlertFilter/?ruleId=string&newLevel=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/alertFilter/action/removeGlobalAlertFilter/', params={
  'ruleId': 'string',  'newLevel': 'string'
}, headers = headers)

print(r.json())

GET /JSON/alertFilter/action/removeGlobalAlertFilter/

Removes a global alert filter.

Parameters

Name In Type Required Description
ruleId query string true none
newLevel query string true none
url query string false none
urlIsRegex query string false none
parameter query string false none
enabled query string false none
parameterIsRegex query string false none
attack query string false none
attackIsRegex query string false none
evidence query string false none
evidenceIsRegex query string false none
methods query string false none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

alertFilterActionTestAll

Code samples

# You can also use wget
curl -X GET http://zap/JSON/alertFilter/action/testAll/ \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/alertFilter/action/testAll/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/alertFilter/action/testAll/', headers = headers)

print(r.json())

GET /JSON/alertFilter/action/testAll/

Tests all currently enabled Global and Context alert filters.

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

alertFilterActionTestContext

Code samples

# You can also use wget
curl -X GET http://zap/JSON/alertFilter/action/testContext/ \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/alertFilter/action/testContext/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/alertFilter/action/testContext/', headers = headers)

print(r.json())

GET /JSON/alertFilter/action/testContext/

Tests all currently enabled Context alert filters.

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

alertFilterActionTestGlobal

Code samples

# You can also use wget
curl -X GET http://zap/JSON/alertFilter/action/testGlobal/ \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/alertFilter/action/testGlobal/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/alertFilter/action/testGlobal/', headers = headers)

print(r.json())

GET /JSON/alertFilter/action/testGlobal/

Tests all currently enabled Global alert filters.

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

alertFilterViewAlertFilterList

Code samples

# You can also use wget
curl -X GET http://zap/JSON/alertFilter/view/alertFilterList/?contextId=string \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/alertFilter/view/alertFilterList/?contextId=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/alertFilter/view/alertFilterList/', params={
  'contextId': 'string'
}, headers = headers)

print(r.json())

GET /JSON/alertFilter/view/alertFilterList/

Lists the alert filters of the context with the given ID.

Parameters

Name In Type Required Description
contextId query string true none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

alertFilterViewGlobalAlertFilterList

Code samples

# You can also use wget
curl -X GET http://zap/JSON/alertFilter/view/globalAlertFilterList/ \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/alertFilter/view/globalAlertFilterList/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/alertFilter/view/globalAlertFilterList/', headers = headers)

print(r.json())

GET /JSON/alertFilter/view/globalAlertFilterList/

Lists the global alert filters.

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ascan

ascanActionAddExcludedParam

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ascan/action/addExcludedParam/?name=string \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ascan/action/addExcludedParam/?name=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ascan/action/addExcludedParam/', params={
  'name': 'string'
}, headers = headers)

print(r.json())

GET /JSON/ascan/action/addExcludedParam/

Adds a new parameter excluded from the scan, using the specified name. Optionally sets if the new entry applies to a specific URL (default, all URLs) and sets the ID of the type of the parameter (default, ID of any type). The type IDs can be obtained with the view excludedParamTypes.

Parameters

Name In Type Required Description
name query string true none
type query string false none
url query string false none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ascanActionAddScanPolicy

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ascan/action/addScanPolicy/?scanPolicyName=string \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ascan/action/addScanPolicy/?scanPolicyName=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ascan/action/addScanPolicy/', params={
  'scanPolicyName': 'string'
}, headers = headers)

print(r.json())

GET /JSON/ascan/action/addScanPolicy/

Parameters

Name In Type Required Description
scanPolicyName query string true none
alertThreshold query string false none
attackStrength query string false none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ascanActionClearExcludedFromScan

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ascan/action/clearExcludedFromScan/ \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ascan/action/clearExcludedFromScan/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ascan/action/clearExcludedFromScan/', headers = headers)

print(r.json())

GET /JSON/ascan/action/clearExcludedFromScan/

Clears the regexes of URLs excluded from the active scans.

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ascanActionDisableAllScanners

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ascan/action/disableAllScanners/ \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ascan/action/disableAllScanners/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ascan/action/disableAllScanners/', headers = headers)

print(r.json())

GET /JSON/ascan/action/disableAllScanners/

Disables all scan rules of the scan policy with the given name, or the default if none given.

Parameters

Name In Type Required Description
scanPolicyName query string false none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ascanActionDisableScanners

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ascan/action/disableScanners/?ids=string \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ascan/action/disableScanners/?ids=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ascan/action/disableScanners/', params={
  'ids': 'string'
}, headers = headers)

print(r.json())

GET /JSON/ascan/action/disableScanners/

Disables the scan rules with the given IDs (comma separated list of IDs) of the scan policy with the given name, or the default if none given.

Parameters

Name In Type Required Description
ids query string true none
scanPolicyName query string false none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ascanActionEnableAllScanners

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ascan/action/enableAllScanners/ \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ascan/action/enableAllScanners/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ascan/action/enableAllScanners/', headers = headers)

print(r.json())

GET /JSON/ascan/action/enableAllScanners/

Enables all scan rules of the scan policy with the given name, or the default if none given.

Parameters

Name In Type Required Description
scanPolicyName query string false none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ascanActionEnableScanners

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ascan/action/enableScanners/?ids=string \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ascan/action/enableScanners/?ids=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ascan/action/enableScanners/', params={
  'ids': 'string'
}, headers = headers)

print(r.json())

GET /JSON/ascan/action/enableScanners/

Enables the scan rules with the given IDs (comma separated list of IDs) of the scan policy with the given name, or the default if none given.

Parameters

Name In Type Required Description
ids query string true none
scanPolicyName query string false none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ascanActionExcludeFromScan

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ascan/action/excludeFromScan/?regex=string \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ascan/action/excludeFromScan/?regex=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ascan/action/excludeFromScan/', params={
  'regex': 'string'
}, headers = headers)

print(r.json())

GET /JSON/ascan/action/excludeFromScan/

Adds a regex of URLs that should be excluded from the active scans.

Parameters

Name In Type Required Description
regex query string true none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ascanActionImportScanPolicy

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ascan/action/importScanPolicy/?path=string \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ascan/action/importScanPolicy/?path=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ascan/action/importScanPolicy/', params={
  'path': 'string'
}, headers = headers)

print(r.json())

GET /JSON/ascan/action/importScanPolicy/

Imports a Scan Policy using the given file system path.

Parameters

Name In Type Required Description
path query string true none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ascanActionModifyExcludedParam

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ascan/action/modifyExcludedParam/?idx=string \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ascan/action/modifyExcludedParam/?idx=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ascan/action/modifyExcludedParam/', params={
  'idx': 'string'
}, headers = headers)

print(r.json())

GET /JSON/ascan/action/modifyExcludedParam/

Modifies a parameter excluded from the scan. Allows to modify the name, the URL and the type of parameter. The parameter is selected with its index, which can be obtained with the view excludedParams.

Parameters

Name In Type Required Description
idx query string true none
name query string false none
type query string false none
url query string false none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ascanActionPause

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ascan/action/pause/?scanId=string \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ascan/action/pause/?scanId=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ascan/action/pause/', params={
  'scanId': 'string'
}, headers = headers)

print(r.json())

GET /JSON/ascan/action/pause/

Parameters

Name In Type Required Description
scanId query string true none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ascanActionPauseAllScans

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ascan/action/pauseAllScans/ \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ascan/action/pauseAllScans/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ascan/action/pauseAllScans/', headers = headers)

print(r.json())

GET /JSON/ascan/action/pauseAllScans/

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ascanActionRemoveAllScans

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ascan/action/removeAllScans/ \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ascan/action/removeAllScans/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ascan/action/removeAllScans/', headers = headers)

print(r.json())

GET /JSON/ascan/action/removeAllScans/

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ascanActionRemoveExcludedParam

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ascan/action/removeExcludedParam/?idx=string \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ascan/action/removeExcludedParam/?idx=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ascan/action/removeExcludedParam/', params={
  'idx': 'string'
}, headers = headers)

print(r.json())

GET /JSON/ascan/action/removeExcludedParam/

Removes a parameter excluded from the scan, with the given index. The index can be obtained with the view excludedParams.

Parameters

Name In Type Required Description
idx query string true none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ascanActionRemoveScan

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ascan/action/removeScan/?scanId=string \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ascan/action/removeScan/?scanId=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ascan/action/removeScan/', params={
  'scanId': 'string'
}, headers = headers)

print(r.json())

GET /JSON/ascan/action/removeScan/

Parameters

Name In Type Required Description
scanId query string true none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ascanActionRemoveScanPolicy

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ascan/action/removeScanPolicy/?scanPolicyName=string \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ascan/action/removeScanPolicy/?scanPolicyName=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ascan/action/removeScanPolicy/', params={
  'scanPolicyName': 'string'
}, headers = headers)

print(r.json())

GET /JSON/ascan/action/removeScanPolicy/

Parameters

Name In Type Required Description
scanPolicyName query string true none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ascanActionResume

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ascan/action/resume/?scanId=string \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ascan/action/resume/?scanId=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ascan/action/resume/', params={
  'scanId': 'string'
}, headers = headers)

print(r.json())

GET /JSON/ascan/action/resume/

Parameters

Name In Type Required Description
scanId query string true none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ascanActionResumeAllScans

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ascan/action/resumeAllScans/ \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ascan/action/resumeAllScans/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ascan/action/resumeAllScans/', headers = headers)

print(r.json())

GET /JSON/ascan/action/resumeAllScans/

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ascanActionScan

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ascan/action/scan/ \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ascan/action/scan/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ascan/action/scan/', headers = headers)

print(r.json())

GET /JSON/ascan/action/scan/

Runs the active scanner against the given URL or Context. Optionally, the 'recurse' parameter can be used to scan URLs under the given URL, the parameter 'inScopeOnly' can be used to constrain the scan to URLs that are in scope (ignored if a Context is specified), the parameter 'scanPolicyName' allows to specify the scan policy (if none is given it uses the default scan policy), the parameters 'method' and 'postData' allow to select a given request in conjunction with the given URL.

Parameters

Name In Type Required Description
url query string false none
recurse query string false none
inScopeOnly query string false none
scanPolicyName query string false none
method query string false none
postData query string false none
contextId query string false none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ascanActionScanAsUser

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ascan/action/scanAsUser/ \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ascan/action/scanAsUser/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ascan/action/scanAsUser/', headers = headers)

print(r.json())

GET /JSON/ascan/action/scanAsUser/

Active Scans from the perspective of a User, obtained using the given Context ID and User ID. See 'scan' action for more details.

Parameters

Name In Type Required Description
url query string false none
contextId query string false none
userId query string false none
recurse query string false none
scanPolicyName query string false none
method query string false none
postData query string false none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ascanActionSetEnabledPolicies

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setEnabledPolicies/?ids=string \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ascan/action/setEnabledPolicies/?ids=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ascan/action/setEnabledPolicies/', params={
  'ids': 'string'
}, headers = headers)

print(r.json())

GET /JSON/ascan/action/setEnabledPolicies/

Parameters

Name In Type Required Description
ids query string true none
scanPolicyName query string false none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ascanActionSetOptionAddQueryParam

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setOptionAddQueryParam/?Boolean=true \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ascan/action/setOptionAddQueryParam/?Boolean=true");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ascan/action/setOptionAddQueryParam/', params={
  'Boolean': 'true'
}, headers = headers)

print(r.json())

GET /JSON/ascan/action/setOptionAddQueryParam/

Sets whether or not the active scanner should add a query param to GET requests which do not have parameters to start with.

Parameters

Name In Type Required Description
Boolean query boolean true none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ascanActionSetOptionAllowAttackOnStart

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setOptionAllowAttackOnStart/?Boolean=true \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ascan/action/setOptionAllowAttackOnStart/?Boolean=true");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ascan/action/setOptionAllowAttackOnStart/', params={
  'Boolean': 'true'
}, headers = headers)

print(r.json())

GET /JSON/ascan/action/setOptionAllowAttackOnStart/

Parameters

Name In Type Required Description
Boolean query boolean true none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ascanActionSetOptionAttackPolicy

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setOptionAttackPolicy/?String=string \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ascan/action/setOptionAttackPolicy/?String=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ascan/action/setOptionAttackPolicy/', params={
  'String': 'string'
}, headers = headers)

print(r.json())

GET /JSON/ascan/action/setOptionAttackPolicy/

Parameters

Name In Type Required Description
String query string true none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ascanActionSetOptionDefaultPolicy

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setOptionDefaultPolicy/?String=string \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ascan/action/setOptionDefaultPolicy/?String=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ascan/action/setOptionDefaultPolicy/', params={
  'String': 'string'
}, headers = headers)

print(r.json())

GET /JSON/ascan/action/setOptionDefaultPolicy/

Parameters

Name In Type Required Description
String query string true none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ascanActionSetOptionDelayInMs

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setOptionDelayInMs/?Integer=0 \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ascan/action/setOptionDelayInMs/?Integer=0");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ascan/action/setOptionDelayInMs/', params={
  'Integer': '0'
}, headers = headers)

print(r.json())

GET /JSON/ascan/action/setOptionDelayInMs/

This option has been superseded. Use the API rate limit endpoints in the 'network' component instead.

Parameters

Name In Type Required Description
Integer query integer true none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ascanActionSetOptionHandleAntiCSRFTokens

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setOptionHandleAntiCSRFTokens/?Boolean=true \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ascan/action/setOptionHandleAntiCSRFTokens/?Boolean=true");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ascan/action/setOptionHandleAntiCSRFTokens/', params={
  'Boolean': 'true'
}, headers = headers)

print(r.json())

GET /JSON/ascan/action/setOptionHandleAntiCSRFTokens/

Parameters

Name In Type Required Description
Boolean query boolean true none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ascanActionSetOptionHostPerScan

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setOptionHostPerScan/?Integer=0 \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ascan/action/setOptionHostPerScan/?Integer=0");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ascan/action/setOptionHostPerScan/', params={
  'Integer': '0'
}, headers = headers)

print(r.json())

GET /JSON/ascan/action/setOptionHostPerScan/

Parameters

Name In Type Required Description
Integer query integer true none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ascanActionSetOptionInjectPluginIdInHeader

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setOptionInjectPluginIdInHeader/?Boolean=true \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ascan/action/setOptionInjectPluginIdInHeader/?Boolean=true");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ascan/action/setOptionInjectPluginIdInHeader/', params={
  'Boolean': 'true'
}, headers = headers)

print(r.json())

GET /JSON/ascan/action/setOptionInjectPluginIdInHeader/

Sets whether or not the active scanner should inject the HTTP request header X-ZAP-Scan-ID, with the ID of the scan rule that's sending the requests.

Parameters

Name In Type Required Description
Boolean query boolean true none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ascanActionSetOptionMaxAlertsPerRule

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setOptionMaxAlertsPerRule/?Integer=0 \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ascan/action/setOptionMaxAlertsPerRule/?Integer=0");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ascan/action/setOptionMaxAlertsPerRule/', params={
  'Integer': '0'
}, headers = headers)

print(r.json())

GET /JSON/ascan/action/setOptionMaxAlertsPerRule/

Sets the maximum number of alerts that a rule can raise before being skipped.

Parameters

Name In Type Required Description
Integer query integer true The maximum alerts.

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ascanActionSetOptionMaxChartTimeInMins

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setOptionMaxChartTimeInMins/?Integer=0 \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ascan/action/setOptionMaxChartTimeInMins/?Integer=0");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ascan/action/setOptionMaxChartTimeInMins/', params={
  'Integer': '0'
}, headers = headers)

print(r.json())

GET /JSON/ascan/action/setOptionMaxChartTimeInMins/

Parameters

Name In Type Required Description
Integer query integer true none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ascanActionSetOptionMaxResultsToList

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setOptionMaxResultsToList/?Integer=0 \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ascan/action/setOptionMaxResultsToList/?Integer=0");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ascan/action/setOptionMaxResultsToList/', params={
  'Integer': '0'
}, headers = headers)

print(r.json())

GET /JSON/ascan/action/setOptionMaxResultsToList/

Parameters

Name In Type Required Description
Integer query integer true none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ascanActionSetOptionMaxRuleDurationInMins

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setOptionMaxRuleDurationInMins/?Integer=0 \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ascan/action/setOptionMaxRuleDurationInMins/?Integer=0");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ascan/action/setOptionMaxRuleDurationInMins/', params={
  'Integer': '0'
}, headers = headers)

print(r.json())

GET /JSON/ascan/action/setOptionMaxRuleDurationInMins/

Parameters

Name In Type Required Description
Integer query integer true none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ascanActionSetOptionMaxScanDurationInMins

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setOptionMaxScanDurationInMins/?Integer=0 \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ascan/action/setOptionMaxScanDurationInMins/?Integer=0");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ascan/action/setOptionMaxScanDurationInMins/', params={
  'Integer': '0'
}, headers = headers)

print(r.json())

GET /JSON/ascan/action/setOptionMaxScanDurationInMins/

Parameters

Name In Type Required Description
Integer query integer true none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ascanActionSetOptionMaxScansInUI

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setOptionMaxScansInUI/?Integer=0 \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ascan/action/setOptionMaxScansInUI/?Integer=0");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ascan/action/setOptionMaxScansInUI/', params={
  'Integer': '0'
}, headers = headers)

print(r.json())

GET /JSON/ascan/action/setOptionMaxScansInUI/

Parameters

Name In Type Required Description
Integer query integer true none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ascanActionSetOptionPromptInAttackMode

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setOptionPromptInAttackMode/?Boolean=true \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ascan/action/setOptionPromptInAttackMode/?Boolean=true");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ascan/action/setOptionPromptInAttackMode/', params={
  'Boolean': 'true'
}, headers = headers)

print(r.json())

GET /JSON/ascan/action/setOptionPromptInAttackMode/

Parameters

Name In Type Required Description
Boolean query boolean true none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ascanActionSetOptionPromptToClearFinishedScans

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setOptionPromptToClearFinishedScans/?Boolean=true \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ascan/action/setOptionPromptToClearFinishedScans/?Boolean=true");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ascan/action/setOptionPromptToClearFinishedScans/', params={
  'Boolean': 'true'
}, headers = headers)

print(r.json())

GET /JSON/ascan/action/setOptionPromptToClearFinishedScans/

Parameters

Name In Type Required Description
Boolean query boolean true none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ascanActionSetOptionRescanInAttackMode

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setOptionRescanInAttackMode/?Boolean=true \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ascan/action/setOptionRescanInAttackMode/?Boolean=true");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ascan/action/setOptionRescanInAttackMode/', params={
  'Boolean': 'true'
}, headers = headers)

print(r.json())

GET /JSON/ascan/action/setOptionRescanInAttackMode/

Parameters

Name In Type Required Description
Boolean query boolean true none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ascanActionSetOptionScanHeadersAllRequests

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setOptionScanHeadersAllRequests/?Boolean=true \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ascan/action/setOptionScanHeadersAllRequests/?Boolean=true");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ascan/action/setOptionScanHeadersAllRequests/', params={
  'Boolean': 'true'
}, headers = headers)

print(r.json())

GET /JSON/ascan/action/setOptionScanHeadersAllRequests/

Sets whether or not the HTTP Headers of all requests should be scanned. Not just requests that send parameters, through the query or request body.

Parameters

Name In Type Required Description
Boolean query boolean true none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ascanActionSetOptionScanNullJsonValues

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setOptionScanNullJsonValues/?Boolean=true \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ascan/action/setOptionScanNullJsonValues/?Boolean=true");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ascan/action/setOptionScanNullJsonValues/', params={
  'Boolean': 'true'
}, headers = headers)

print(r.json())

GET /JSON/ascan/action/setOptionScanNullJsonValues/

Sets whether or not the active scanner should scan null JSON values.

Parameters

Name In Type Required Description
Boolean query boolean true true to scan null values, false otherwise.

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ascanActionSetOptionShowAdvancedDialog

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setOptionShowAdvancedDialog/?Boolean=true \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ascan/action/setOptionShowAdvancedDialog/?Boolean=true");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ascan/action/setOptionShowAdvancedDialog/', params={
  'Boolean': 'true'
}, headers = headers)

print(r.json())

GET /JSON/ascan/action/setOptionShowAdvancedDialog/

Parameters

Name In Type Required Description
Boolean query boolean true none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ascanActionSetOptionTargetParamsEnabledRPC

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setOptionTargetParamsEnabledRPC/?Integer=0 \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ascan/action/setOptionTargetParamsEnabledRPC/?Integer=0");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ascan/action/setOptionTargetParamsEnabledRPC/', params={
  'Integer': '0'
}, headers = headers)

print(r.json())

GET /JSON/ascan/action/setOptionTargetParamsEnabledRPC/

Parameters

Name In Type Required Description
Integer query integer true none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ascanActionSetOptionTargetParamsInjectable

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setOptionTargetParamsInjectable/?Integer=0 \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ascan/action/setOptionTargetParamsInjectable/?Integer=0");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ascan/action/setOptionTargetParamsInjectable/', params={
  'Integer': '0'
}, headers = headers)

print(r.json())

GET /JSON/ascan/action/setOptionTargetParamsInjectable/

Parameters

Name In Type Required Description
Integer query integer true none

Example responses

default Response

{
  "code": "string",
  "message": "string",
  "detail": "string"
}

Responses

Status Meaning Description Schema
default Default Error of JSON endpoints. ErrorJson

ascanActionSetOptionThreadPerHost

Code samples

# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setOptionThreadPerHost/?Integer=0 \
  -H 'Accept: application/json'

URL obj = new URL("http://zap/JSON/ascan/action/setOptionThreadPerHost/?Integer=0");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('http://zap/JSON/ascan/action/setOptionThreadPerHost/', params={
  'Integer': '0'
}, headers = headers)

pri