Introduction
Overview
Welcome to ZAP API Documentation! The Zed Attack Proxy (ZAP) is one of the world's most popular free security tools which lets you automatically find security vulnerabilities in your applications. ZAP also has an extremely powerful API that allows you to do nearly everything that is possible via the desktop interface. This allows the developers to automate pentesting and security regression testing of the application in the CI/CD pipeline.
This document provides example guides & API definitions for ZAP APIs. You can view code examples in the dark area to the right; switch the programming language of the examples with the tabs on the top right. If anything is missing or seems incorrect, please check the FAQs or the GitHub issues for existing known issues. Also, if you are new to ZAP, then check out the getting started guide to learn the basic concepts behind ZAP.
An OpenAPI definition for the ZAP API is available in the main repository, which can be used to generate custom API clients. This definition is planned to be kept up to date for the latest core and add-on releases. Note that currently the definition does not declare the most appropriate types for the parameters and does not contain the responses.
The following are some of the features provided by ZAP:
- Intercepting Proxy
- Active and Passive Scanners
- Traditional and Ajax Spiders
- Brute Force Scanner
- Port Scanner
- Web Sockets
Have a look at the examples below to learn how to use each of these features via ZAP API.
Documentation Structure
The API documentation is divided into nine main sections.
- Introduction section contains introductory information of ZAP and installation guide to set up ZAP for testing.
- Exploring the App section contains examples on how to explore the web application.
- Attacking the App section contains examples on how to scan or attack a web application.
- Getting the Results section contains examples on how to retrieve alerts and generate Reports from ZAP.
- Getting Authenticated section contains examples on how to authenticate the web application with ZAP.
- Advanced Settings section contains advanced configurations on how to fine tune ZAP results.
- Contributions section contains guidelines and instructions on how to contribute to ZAP's documentation.
- API Catalogue section contains OpenAPI definitions and auto generated code for ZAP APIs.
- Troubleshooting section contains solutions for trouble shooting ZAP API related issues.
Basics on the API Request
ZAP APIs provide access to most of the core features of ZAP such as the active scanner and spider. ZAP API is enabled by default in the daemon mode and the desktop mode. If you are using ZAP desktop, then the API can be configured by visiting the following screen:
Tools -> Options -> API
.
Please note that not all the operations which are available in the desktop interface are available via the APIs. Future versions of ZAP will increase the functionality/scope available via the APIs.
API URL Format
The API is available via GET
and POST
endpoints and the response is available in JSON
, XML
, HTML
, and OTHER
(custom formats, e.g. HAR) formats.
All the response formats return the same information, just in a different format. Based on the use case, choose the appropriate format.
For example, to generate easily readable reports use the HTML format and use XML/JSON based response to parse the results quickly.
The following example shows the API URL format of ZAP:
http://zap/<format>/<component>/<operation>/<operation name>[/?<parameters>]
The format can be either JSON
, XML
or HTML
. The operation can be either view
or action
or other
. The view
operation is used to return
information and the action
is used to control ZAP. For example, views
can be used to generated reports or retrieve results and
action
can be used to start or stop the Spider. The components, operation names and parameters can all be discovered by
browsing the API Catalogue.
Access the API
The REST API can be accessed directly or via one of the client implementations detailed below.
A simple web UI is also available to explore and use the APIs via the browser. This web UI can be accessed via http://zap/
when you are proxying through ZAP, or via the host and port ZAP is listening on, e.g. http://localhost:8080/.
By default only the machine ZAP is running on is able to access the APIs. You can allow other machines, that are able to use ZAP as a proxy, access to the API.
Client SDKs
API clients are available for the following languages:
Language | Download links | Notes |
---|---|---|
.NET | NuGet | Official API |
Java | GitHub Maven Central | Official API |
Node.js | NPM | Official API |
PHP | GitHub Packagist | In process of becoming an official API |
Python | PyPI | Official API |
Ruby | GitHub |
Quick Setup Guide
The quick setup guide focuses on setting up ZAP and a testing application. If you have already setup ZAP then Jump to specific example to experiment with specific features.
Start ZAP
# For Linux, Option: 1, using "headless/daemon" mode
<ZAP_HOME>./zap.sh -daemon -config api.key=change-me-9203935709
# For Linux, Option: 2, using ZAP desktop App
<ZAP_HOME>./zap.sh
# For Windows, Run the exe file or zap.bat script to start ZAP
// For Linux, Option: 1, using "headless/daemon" mode
<ZAP_HOME>./zap.sh -daemon -config api.key=change-me-9203935709
// For Linux, Option: 2, using ZAP desktop App
<ZAP_HOME>./zap.sh
// For Windows, Run the exe file or zap.bat script to start ZAP
# For Linux, Option: 1, using "headless/daemon" mode
$ <ZAP_HOME>./zap.sh -daemon -config api.key=change-me-9203935709
# For Linux, Option: 2, using ZAP desktop App
$ <ZAP_HOME>./zap.sh
# For Windows, Run the exe file or zap.bat script to start ZAP
To install ZAP, go to ZAP's home page and download the installer specific to the operating system. After extracting the bundle you can start ZAP by issuing the following command shown in the right column.
The API key must be specified on all API actions
and some other
operations. The API key is used to prevent malicious
sites from accessing ZAP API.
Setup a Testing Application
If you already have a website to scan or to perform security testing, then obtain the URL/IP of the application to begin the scanning. The example guide uses Google's Firing Range and OWASP Juice Shop to perform the security testing. The Spidering and Attacking examples use the public instance of the Firing Range, and OWASP Juice Shop are used to showcase the Authentication examples of ZAP.
The following is a list of publicly available vulnerable applications that you can also used in conjunction with ZAP.
Getting Help
All available APIs are documented in the API Catalogue. If you are new to ZAP, then it's highly recommended that you experiment with the desktop UI before trying out the APIs. Because ZAP's APIs strongly resemble the desktop UI. Therefore by working with the UI, you will get a good understanding on how to orchestrate ZAP's APIs. Also, use the export config functionality from the desktop UI to export complex configurations such as contexts, scan policies, etc. Then use the exported configurations when creating the automation scripts.
ZAP has a very friendly and active developer community. Always feel free to raise a question in the ZAP users forum or Stack Overflow for issues related to ZAP. Also, use the ZAP's GitHub repository to raise a bug report or to make any feature requests.
Stay tuned on twitter @zaproxy.
Exploring the App
In order to expose content and functionality for ZAP to test the target the application should be explored before performing any scan or attack. The more you explore your App the more accurate the results will be. If the application is not explored very well then it will impact or reduce the vulnerabilities ZAP can find.
The following are some of the options to explore the site by using ZAP. You can use multiple approaches in a combination to get more complete coverage of the application.
Traditional Spider (Crawler): Use this approach to crawl the HTML resources (hyperlinks etc) in the web application.
Ajax Spider: Use this feature if the application heavily relies with Ajax calls.
Proxy Regression / Unit Tests This is the recommended approach for security regression testing. Use this approach to explore the application, if you already have a test suite or unit tests in place.
OpenAPI/SOAP Definition: Use this approach if you have a well defined OpenAPI definition. The OpenAPI plugin can be downloaded via the marketplace.
Using Spider
#!/usr/bin/env python
import time
from zapv2 import ZAPv2
# The URL of the application to be tested
target = 'https://public-firing-range.appspot.com'
# Change to match the API key set in ZAP, or use None if the API key is disabled
apiKey = 'changeMe'
# By default ZAP API client will connect to port 8080
zap = ZAPv2(apikey=apiKey)
# Use the line below if ZAP is not listening on port 8080, for example, if listening on port 8090
# zap = ZAPv2(apikey=apiKey, proxies={'http': 'http://127.0.0.1:8090', 'https': 'http://127.0.0.1:8090'})
print('Spidering target {}'.format(target))
# The scan returns a scan id to support concurrent scanning
scanID = zap.spider.scan(target)
while int(zap.spider.status(scanID)) < 100:
# Poll the status until it completes
print('Spider progress %: {}'.format(zap.spider.status(scanID)))
time.sleep(1)
print('Spider has completed!')
# Prints the URLs the spider has crawled
print('\n'.join(map(str, zap.spider.results(scanID))))
# If required post process the spider results
# TODO: Explore the Application more with Ajax Spider or Start scanning the application for vulnerabilities
public class Spider {
private static final String ZAP_ADDRESS = "localhost";
private static final int ZAP_PORT = 8080;
// Change to match the API key set in ZAP, or use NULL if the API key is disabled
private static final String ZAP_API_KEY = "change me";
// The URL of the application to be tested
private static final String TARGET = "https://public-firing-range.appspot.com";
public static void main(String[] args) {
ClientApi api = new ClientApi(ZAP_ADDRESS, ZAP_PORT, ZAP_API_KEY);
try {
// Start spidering the target
System.out.println("Spidering target : " + TARGET);
ApiResponse resp = api.spider.scan(TARGET, null, null, null, null);
String scanID;
int progress;
// The scan returns a scan id to support concurrent scanning
scanID = ((ApiResponseElement) resp).getValue();
// Poll the status until it completes
while (true) {
Thread.sleep(1000);
progress = Integer.parseInt(((ApiResponseElement) api.spider.status(scanID)).getValue());
System.out.println("Spider progress : " + progress + "%");
if (progress >= 100) {
break;
}
}
System.out.println("Spider completed");
// If required post process the spider results
List<ApiResponse> spiderResults = ((ApiResponseList) api.spider.results(scanID)).getItems();
// TODO: Explore the Application more with Ajax Spider or Start scanning the application for vulnerabilities
} catch (Exception e) {
System.out.println("Exception : " + e.getMessage());
e.printStackTrace();
}
}
}
# To start the Spider scan (Response: Scan ID). Modify the API Key and URL to suite the target
$ curl "http://localhost:8080/JSON/spider/action/scan/?apikey=<ZAP_API_KEY>&url=https://public-firing-range.appspot.com&contextName=&recurse="
# To view the scan status/ percentage of work done
$ curl "http://localhost:8080/JSON/spider/view/status/?apikey=<ZAP_API_KEY>&scanId=<SCAN_ID>"
# To view the scan results
$ curl "http://localhost:8080/JSON/spider/view/results/?apikey=<ZAP_API_KEY>&scanId=<SCAN_ID>"
# To stop the scanning
$ curl "http://localhost:8080/JSON/spider/action/stop/?apikey=<ZAP_API_KEY>&scanId=<SCAN_ID>"
# To pause the scanning
$ curl "http://localhost:8080/JSON/spider/action/pause/?apikey=<ZAP_API_KEY>&scanId=<SCAN_ID>"
# To resume the scanning
$ curl "http://localhost:8080/JSON/spider/action/resume/?apikey=<ZAP_API_KEY>&scanId=<SCAN_ID>"
The Spider is a tool that is used to automatically discover new resources (URLs) on a particular site. It begins with a list of URLs to visit, called the seeds, which depends on how the Spider is started. The Spider then visits these URLs, it identifies all the hyperlinks in the page and adds them to the list of URLs to visit, and the process continues recursively as long as new resources are found. Each response type is processed differently in ZAP. All the available endpoints for the spider can be found in spider section.
Start the Spider
The Spiders explore the site and they don't actually do any scanning. The resources crawled by the Spider(s) are passively scanned in the background via the Passive Scanner. The scan API runs the spider against the given URL. Optionally, the 'maxChildren' parameter can be set to limit the number of children scanned and the 'recurse' parameter can be used to prevent the spider from seeding recursively. The parameter 'subtreeOnly' allows to restrict the spider under a site's subtree (using the specified 'URL'). The parameter 'contextName' can be used to constrain the scan to a Context. View the context example to understand how to create a context with ZAP API.
The code sample on the right recursively scans the application with the provided URL. The scan ID is returned as a response when starting the Spider. Use this scan ID to perform any additional actions or to retrieve any views from the Spider API.
View Status
The spider scan is a async request and the time to complete the task will vary depending on the complexity of the web application. The scan ID returned via starting the spider should be used to obtain the results of the crawling. Execute the status API to get the status/percentage of work done by the Spider.
View Spider Results
The results of the crawling can be obtained via the results API. The following image shows the JSON sample response provided by the results API, listing all the resources crawled by Spider.
Stop or Pause the Spider
If the scanning takes more time than expected you can stop or pause the scanning via using the stop or pause APIs. Additional APIs are available in the API Catalogue to pause or resume or to stop All the scanning processes.
The advanced section on Spider contains more examples on how to tweak/improve the Spider results.
Using Ajax Spider
#!/usr/bin/env python
import time
from zapv2 import ZAPv2
# The URL of the application to be tested
target = 'https://public-firing-range.appspot.com'
# Change to match the API key set in ZAP, or use None if the API key is disabled
apiKey = 'changeme'
# By default ZAP API client will connect to port 8080
zap = ZAPv2(apikey=apiKey)
# Use the line below if ZAP is not listening on port 8080, for example, if listening on port 8090
# zap = ZAPv2(apikey=apiKey, proxies={'http': 'http://127.0.0.1:8090', 'https': 'http://127.0.0.1:8090'})
print('Ajax Spider target {}'.format(target))
scanID = zap.ajaxSpider.scan(target)
timeout = time.time() + 60*2 # 2 minutes from now
# Loop until the ajax spider has finished or the timeout has exceeded
while zap.ajaxSpider.status == 'running':
if time.time() > timeout:
break
print('Ajax Spider status' + zap.ajaxSpider.status)
time.sleep(2)
print('Ajax Spider completed')
ajaxResults = zap.ajaxSpider.results(start=0, count=10)
# If required perform additional operations with the Ajax Spider results
# TODO: Start scanning the application to find vulnerabilities
public class AjaxSpider {
private static final int ZAP_PORT = 8080;
private static final String ZAP_API_KEY = null;
private static final String ZAP_ADDRESS = "localhost";
private static final String TARGET = "https://public-firing-range.appspot.com";
public static void main(String[] args) {
// Create the ZAP Client
ClientApi api = new ClientApi(ZAP_ADDRESS, ZAP_PORT, ZAP_API_KEY);
try {
// Start spidering the target
System.out.println("Ajax Spider target : " + TARGET);
ApiResponse resp = api.ajaxSpider.scan(TARGET, null, null, null);
String status;
long startTime = System.currentTimeMillis();
long timeout = TimeUnit.MINUTES.toMillis(2); // Two minutes in milli seconds
// Loop until the ajax spider has finished or the timeout has exceeded
while (true) {
Thread.sleep(2000);
status = (((ApiResponseElement) api.ajaxSpider.status()).getValue());
System.out.println("Spider status : " + status);
if (!("stopped".equals(status)) || (System.currentTimeMillis() - startTime) < timeout) {
break;
}
}
System.out.println("Ajax Spider completed");
// Perform additional operations with the Ajax Spider results
List<ApiResponse> ajaxSpiderResponse = ((ApiResponseList) api.ajaxSpider.results("0", "10")).getItems();
// TODO: Start scanning(passive/active scan) the application to find vulnerabilities
} catch (Exception e) {
System.out.println("Exception : " + e.getMessage());
e.printStackTrace();
}
}
}
# To start the Ajax Spider
$ curl "http://localhost:8080/JSON/ajaxSpider/action/scan/?apikey=<ZAP_API_KEY>&url=<URL>&inScope=&contextName=&subtreeOnly="
# To view the status
$ curl "http://localhost:8080/JSON/ajaxSpider/view/status/?apikey=<ZAP_API_KEY>"
# To view the number of results
$ curl "http://localhost:8080/JSON/ajaxSpider/view/numberOfResults/?apikey=<ZAP_API_KEY>"
# To view the results
$ curl "http://localhost:8080/JSON/ajaxSpider/view/fullResults/?apikey=<ZAP_API_KEY>"
# To stop the Ajax Spider
$ curl "http://localhost:8080/JSON/ajaxSpider/action/stop/?apikey=<ZAP_API_KEY>"
Use the Ajax Spider if you have applications which heavily depend on Ajax or JavaScript. The Ajax Spider allows you to crawl web applications written in Ajax in far more depth than the traditional Spider.You should also use the traditional Spider as well for complete coverage of a application (e.g. to cover HTML comments).
Start Ajax Spider
The scan API starts the Ajax Spider based on a given URL. Similar to the Traditional Spider, Ajax Spider can be also limited to a context or scope. The parameter 'contextName' can be used to constrain the scan to a Context, the option 'inScope' is ignored if a context was also specified. The parameter 'subtreeOnly' allows to restrict the spider under a site's subtree (using the specified 'URL').
View Status
Unlike the traditional Spider, Ajax Spider does not provide a percentage for the work to be done. Use the status endpoint to identify whether the Ajax Spider is still active or finished.
View Results
Similar to the Traditional Spider, the Ajax Spider's results API can be used to view the resources which are crawled by the Ajax Spider. The following image shows a sample response given by the API.
Stop the Ajax Spider
Ajax spider does not have an indication on how much resources are left to be crawled. Therefore if the Ajax spider takes too much time than expected, then it can be stopped by using the stop API.
View the advanced section on Ajax Spider to learn more about how to further fine-tune the results of the Ajax Spider.
Attacking the App
The application should be explored before starting to scan for security vulnerabilities. If you haven't done that look at the explore section on how to explore the web application. The following section provides examples on how to use the Passive and Active Scanner to find security vulnerabilities in the application.
Using Passive Scan
public class PassiveScan {
private static final int ZAP_PORT = 8080;
private static final String ZAP_API_KEY = null;
private static final String ZAP_ADDRESS = "localhost";
public static void main(String[] args) {
ClientApi api = new ClientApi(ZAP_ADDRESS, ZAP_PORT, ZAP_API_KEY);
int numberOfRecords;
try {
// TODO : explore the app (Spider, etc) before using the Passive Scan API, Refer the explore section for details
// Loop until the passive scan has finished
while (true) {
Thread.sleep(2000);
api.pscan.recordsToScan();
numberOfRecords = Integer.parseInt(((ApiResponseElement) api.pscan.recordsToScan()).getValue());
System.out.println("Number of records left for scanning : " + numberOfRecords);
if (numberOfRecords == 0) {
break;
}
}
System.out.println("Passive Scan completed");
// Print Passive scan results/alerts
System.out.println("Alerts:");
System.out.println(new String(api.core.xmlreport(), StandardCharsets.UTF_8));
} catch (Exception e) {
System.out.println("Exception : " + e.getMessage());
e.printStackTrace();
}
}
}
#!/usr/bin/env python
import time
from pprint import pprint
from zapv2 import ZAPv2
apiKey = 'changeme'
target = 'https://public-firing-range.appspot.com'
zap = ZAPv2(apikey=apiKey, proxies={'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'})
# TODO : explore the app (Spider, etc) before using the Passive Scan API, Refer the explore section for details
while int(zap.pscan.records_to_scan) > 0:
# Loop until the passive scan has finished
print('Records to passive scan : ' + zap.pscan.records_to_scan)
time.sleep(2)
print('Passive Scan completed')
# Print Passive scan results/alerts
print('Hosts: {}'.format(', '.join(zap.core.hosts)))
print('Alerts: ')
pprint(zap.core.alerts())
# To view the number of records left to be scanned
$ curl "http://localhost:8080/JSON/pscan/view/recordsToScan/?apikey=<ZAP_API_KEY>"
# To view the alerts of passive scan
$ curl "http://localhost:8080/JSON/core/view/alerts/?apikey=<ZAP_API_KEY>&baseurl=<TARGET_URL>&start=0&count=10"
All requests that are proxied through ZAP or initialised by tools like the Spider are passively scanned. You do not have
to manually start the passive scan process, ZAP by default passively scans all HTTP and WebSocket messages (requests and responses)
which are sent to the application.
Passive scanning does not change the requests nor the responses in any way and is therefore safe to use. This is good for finding problems like missing security headers or missing anti CSRF tokens but is no good for finding vulnerabilities like XSS which require malicious requests to be sent - that's the job of the active scanner.
View the Status
As the records are passively scanned it will take additional time to complete the full scan. After the crawling is completed use the recordsToScan API to obtain the number of records left to be scanned. After the scanning has completed the alerts can be obtained via the alerts endpoint(s).
View the advanced section to know how to configure additional parameters of Passive Scan.
Using Active Scan
Active scanning attempts to find potential vulnerabilities by using known attacks against the selected targets. Active scanning is an attack on those targets. You should NOT use it on applications that you do not have permission to.
Start Active Scanner
public class ActiveScan {
private static final int ZAP_PORT = 8080;
private static final String ZAP_API_KEY = null;
private static final String ZAP_ADDRESS = "localhost";
private static final String TARGET = "https://public-firing-range.appspot.com";
public static void main(String[] args) {
ClientApi api = new ClientApi(ZAP_ADDRESS, ZAP_PORT, ZAP_API_KEY);
try {
// TODO : explore the app (Spider, etc) before using the Active Scan API, Refer the explore section
System.out.println("Active Scanning target : " + TARGET);
ApiResponse resp = api.ascan.scan(TARGET, "True", "False", null, null, null);
String scanid;
int progress;
// The scan now returns a scan id to support concurrent scanning
scanid = ((ApiResponseElement) resp).getValue();
// Poll the status until it completes
while (true) {
Thread.sleep(5000);
progress =
Integer.parseInt(
((ApiResponseElement) api.ascan.status(scanid)).getValue());
System.out.println("Active Scan progress : " + progress + "%");
if (progress >= 100) {
break;
}
}
System.out.println("Active Scan complete");
// Print vulnerabilities found by the scanning
System.out.println("Alerts:");
System.out.println(new String(api.core.xmlreport(), StandardCharsets.UTF_8));
} catch (Exception e) {
System.out.println("Exception : " + e.getMessage());
e.printStackTrace();
}
}
}
#!/usr/bin/env python
import time
from pprint import pprint
from zapv2 import ZAPv2
apiKey = 'changeme'
target = 'https://public-firing-range.appspot.com'
zap = ZAPv2(apikey=apiKey, proxies={'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'})
# TODO : explore the app (Spider, etc) before using the Active Scan API, Refer the explore section
print('Active Scanning target {}'.format(target))
scanID = zap.ascan.scan(target)
while int(zap.ascan.status(scanID)) < 100:
# Loop until the scanner has finished
print('Scan progress %: {}'.format(zap.ascan.status(scanID)))
time.sleep(5)
print('Active Scan completed')
# Print vulnerabilities found by the scanning
print('Hosts: {}'.format(', '.join(zap.core.hosts)))
print('Alerts: ')
pprint(zap.core.alerts(baseurl=target))
# To start the the active scan
$ curl "http://localhost:8080/JSON/ascan/action/scan/?apikey=<ZAP_API_KEY>&url=<TARGET_URL>&recurse=true&inScopeOnly=&scanPolicyName=&method=&postData=&contextId="
# To view the the status of active scan
$ curl "http://localhost:8080/JSON/ascan/view/status/?apikey=<ZAP_API_KEY>&scanId=<SCAN_ID>"
# To view the alerts of active scan
$ curl "http://localhost:8080/JSON/core/view/alerts/?apikey=<ZAP_API_KEY>&baseurl=<TARGET_URL>&start=0&count=10"
# To stop the active scan
$ curl "http://localhost:8080/JSON/ascan/action/stop/?apikey=<ZAP_API_KEY>&scanId=<SCAN_ID>"
The scan endpoint runs the active scanner against the given URL or Context. Optionally, the 'recurse' parameter can be used to scan URLs under the given URL, the parameter 'inScopeOnly' can be used to constrain the scan to URLs that are in scope (ignored if a Context is specified). The parameter 'scanPolicyName' allows to specify the scan policy (if none is given it uses the default scan policy). The parameters 'method' and 'postData' allow to select a given request in conjunction with the given URL.
View advanced settings to learn, how to configure the context, scope, and scan policy with ZAP APIs.
View Status
The status API provides the percentage of scanning done by the active scanner. The scan ID returned via starting the Active Scan should be used to query the status of the scanner.
View Results
Similar to the passive scan results, the active scan results can be viewed using the same alerts endpoint(s). The alerts endpoint(s) will show the consolidated results of Passive and Active Scan.
Stop Active Scanning
Use the stop API to stop a long running active scan. Optionally you can use the stopAllScans endpoints or pause endpoint to stop and pause the active scanning.
It should be noted that active scanning can only find certain types of vulnerabilities. Logical vulnerabilities, such as broken access control, will not be found by any active or automated vulnerability scanning. Manual penetration testing should always be performed in addition to active scanning to find all types of vulnerabilities.
Getting the Results
#!/usr/bin/env python
from zapv2 import ZAPv2
# The URL of the application to be tested
target = 'https://public-firing-range.appspot.com'
# Change to match the API key set in ZAP, or use None if the API key is disabled
apiKey = 'changeMe'
# By default ZAP API client will connect to port 8080
zap = ZAPv2(apikey=apiKey)
# Use the line below if ZAP is not listening on port 8080, for example, if listening on port 8090
# zap = ZAPv2(apikey=apiKey, proxies={'http': 'http://127.0.0.1:8090', 'https': 'http://127.0.0.1:8090'})
# TODO: Check if the scanning has completed
# Retrieve the alerts using paging in case there are lots of them
st = 0
pg = 5000
alert_dict = {}
alert_count = 0
alerts = zap.alert.alerts(baseurl=target, start=st, count=pg)
blacklist = [1,2]
while len(alerts) > 0:
print('Reading ' + str(pg) + ' alerts from ' + str(st))
alert_count += len(alerts)
for alert in alerts:
plugin_id = alert.get('pluginId')
if plugin_id in blacklist:
continue
if alert.get('risk') == 'High':
# Trigger any relevant postprocessing
continue
if alert.get('risk') == 'Informational':
# Ignore all info alerts - some of them may have been downgraded by security annotations
continue
st += pg
alerts = zap.alert.alerts(start=st, count=pg)
print('Total number of alerts: ' + str(alert_count))
public class Alerts {
private static final String ZAP_ADDRESS = "localhost";
private static final int ZAP_PORT = 8080;
// Change to match the API key set in ZAP, or use NULL if the API key is disabled
private static final String ZAP_API_KEY = "change me";
// The URL of the application to be tested
private static final String TARGET = "https://public-firing-range.appspot.com";
private static List<String> blackListPlugins = Arrays.asList("1000", "1025");
public static void main(String[] args) {
ClientApi api = new ClientApi(ZAP_ADDRESS, ZAP_PORT, ZAP_API_KEY);
try {
// TODO: Check if the scanning has completed
// Retrieve the alerts using paging in case there are lots of them
int start = 0;
int count = 5000;
int alertCount = 0;
ApiResponse resp = api.alert.alerts(TARGET, String.valueOf(start), String.valueOf(count), null);
while (((ApiResponseList) resp).getItems().size() != 0) {
System.out.println("Reading " + count + " alerts from " + start);
alertCount += ((ApiResponseList) resp).getItems().size();
for (ApiResponse l : (((ApiResponseList) resp).getItems())) {
Map<String, ApiResponse> element = ((ApiResponseSet) l).getValuesMap();
if (blackListPlugins.contains(element.get("pluginId").toString())) {
// TODO: Trigger any relevant postprocessing
} else if ("High".equals(element.get("risk").toString())) {
// TODO: Trigger any relevant postprocessing
} else if ("Informational".equals(element.get("risk").toString())) {
// TODO: Ignore all info alerts - some of them may have been downgraded by security annotations
}
}
start += count;
resp = api.alert.alerts(TARGET, String.valueOf(start), String.valueOf(count), null);
}
System.out.println("Total number of Alerts: " + alertCount);
} catch (Exception e) {
System.out.println("Exception : " + e.getMessage());
e.printStackTrace();
}
}
}
# To view the alerts
$ curl "http://localhost:8080/JSON/alert/view/alerts/?apikey=<ZAP_API_KEY>&baseurl=<BASE_URL>&start=0&count=5000&riskId="
# To view the summary of the alerts
$ curl "http://localhost:8080/JSON/alert/view/alertsSummary/?apikey=<ZAP_API_KEY>baseurl=<BASE_URL>"
# To view alerts by risk category
$ curl "http://localhost:8080/JSON/alert/view/alertsByRisk/?apikey=<ZAP_API_KEY>&url=<BASE_URL>&recurse="
After the scanning (Active/Passive) completes, ZAP provides the security vulnerabilities in the form of alerts. The alerts are categorized into high-priority, medium-priority, low-priority and informational priority risks. The priority indicates the degree of risk associated with each alert. For example, a high priority risk means that the issues listed in that category has more threat or risk potential than a medium-priority alert.
The alerts endpoint provides all the alerts which are identified by ZAP. View the sample code on the right to retrieve the alerts from the alerts endpoint. The results can be used to raise security alerts in the CI/CD pipeline or to trigger any custom workflows.
The alerts summary gets the number of alerts grouped by each risk level and optionally filtering by URL. A Summary report can be also generated using the core module. Use the htmlreport or jsonreport or xmlreport endpoint to generate this summary report. The following image shows the report generated via the HTML report API. The report categories the alerts to risk level and provides a brief description about each alert.
Getting Authenticated
The target application for testing might have a portion of the functionality that is only available for a logged-in user. In order to get full test coverage of the application you need to test the application with a logged-in user as well. Therefore it's very important to understand how to perform authenticated scans with ZAP. ZAP has several means to authenticate your application and keep track of the authentication state. The following are some of the options available for authentication with ZAP.
- Form-based authentication
- Script-based authentication
- JSON-based authentication
- HTTP/NTLM based authentication
The examples below show three authentication workflows. A simple form-based authentication is showcased with the use of the Bodgeit application. The second example shows the script-based authentication using the Damn Vulnerable Web Application(DVWA). The third example shows a more complicated authentication workflow using the JSON and script-based authentication using the OWASP Juice Shop.
General Steps
The following are the general steps when configuring the application authentication with ZAP.
Step 1. Define a context
Contexts are a way of relating a set of URLs together. The URLs are defined as a set of regular expressions (regex). You should include the target application inside the context. The unwanted URLs such as the logout page, password change functionality should be added to the exclude in context section.
Step 2. Set the authentication mechanism
Choose the appropriate login mechanism for your application. If your application supports a simple form-based login, then choose the form-based authentication method. For complex login workflows, you can use the script-based login to define custom authentication workflows.
Step 3. Define your auth parameters
In general, you need to provide the settings on how to communicate to the authentication service of your application. In general, the settings would include the login URL and payload format (username & password). The required parameters will be different for different authentication methods.
Step 4. Set relevant logged in/out indicators
ZAP additionally needs hints to identify whether the application is authenticated or not. To verify the authentication status, ZAP supports logged in/out regexes. These are regex patterns that you should configure to match strings in the responses which indicate if the user is logged in or logged out.
Step 5. Add a valid user and password
Add a user account (an existing user in your application) with valid credentials in ZAP. You can create multiple users if your application exposes different functionality based on user roles. Additionally, you should also set valid session management when configuring the authentication for your application. Currently, ZAP supports cookie-based session management and HTTP authentication based session management.
Step 6. Enable forced user mode (Optional)
Now enable the "Forced User Mode disabled - click to enable" button. Pressing this button will cause ZAP to resend the authentication request whenever it detects that the user is no longer logged in, ie by using the 'logged in' or 'logged out' indicator. But the forced user mode is ignored for scans that already have a user set.
Form Based Authentication
#!/usr/bin/env python
import urllib.parse
from zapv2 import ZAPv2
context_id = 1
apikey = 'changeMe'
context_name = 'Default Context'
target_url = 'http://localhost:8090/bodgeit'
# By default ZAP API client will connect to port 8080
zap = ZAPv2(apikey=apikey)
# Use the line below if ZAP is not listening on port 8080, for example, if listening on port 8090
# zap = ZAPv2(apikey=apikey, proxies={'http': 'http://127.0.0.1:8090', 'https': 'http://127.0.0.1:8090'})
def set_include_in_context():
exclude_url = 'http://localhost:8090/bodgeit/logout.jsp'
include_url = 'http://localhost:8090/bodgeit.*'
zap.context.include_in_context(context_name, include_url)
zap.context.exclude_from_context(context_name, exclude_url)
print('Configured include and exclude regex(s) in context')
def set_logged_in_indicator():
logged_in_regex = '\Q<a href="logout.jsp">Logout</a>\E'
zap.authentication.set_logged_in_indicator(context_id, logged_in_regex)
print('Configured logged in indicator regex: ')
def set_form_based_auth():
login_url = 'http://localhost:8090/bodgeit/login.jsp'
login_request_data = 'username={%username%}&password={%password%}'
form_based_config = 'loginUrl=' + urllib.parse.quote(login_url) + '&loginRequestData=' + urllib.parse.quote(login_request_data)
zap.authentication.set_authentication_method(context_id, 'formBasedAuthentication', form_based_config)
print('Configured form based authentication')
def set_user_auth_config():
user = 'Test User'
username = '[email protected]'
password = 'weakPassword'
user_id = zap.users.new_user(context_id, user)
user_auth_config = 'username=' + urllib.parse.quote(username) + '&password=' + urllib.parse.quote(password)
zap.users.set_authentication_credentials(context_id, user_id, user_auth_config)
zap.users.set_user_enabled(context_id, user_id, 'true')
zap.forcedUser.set_forced_user(context_id, user_id)
zap.forcedUser.set_forced_user_mode_enabled('true')
print('User Auth Configured')
return user_id
def start_spider(user_id):
zap.spider.scan_as_user(context_id, user_id, target_url, recurse='true')
print('Started Scanning with Authentication')
set_include_in_context()
set_form_based_auth()
set_logged_in_indicator()
user_id_response = set_user_auth_config()
start_spider(user_id_response)
public class FormAuth {
private static final String ZAP_ADDRESS = "localhost";
private static final int ZAP_PORT = 8080;
private static final String ZAP_API_KEY = null;
private static final String contextId = "1";
private static final String contextName = "Default Context";
private static final String target = "http://localhost:8090/bodgeit";
private static void setIncludeAndExcludeInContext(ClientApi clientApi) throws UnsupportedEncodingException, ClientApiException {
String includeInContext = "http://localhost:8090/bodgeit.*";
String excludeInContext = "http://localhost:8090/bodgeit/logout.jsp";
clientApi.context.includeInContext(contextName, includeInContext);
clientApi.context.excludeFromContext(contextName, excludeInContext);
}
private static void setLoggedInIndicator(ClientApi clientApi) throws UnsupportedEncodingException, ClientApiException {
// Prepare values to set, with the logged in indicator as a regex matching the logout link
String loggedInIndicator = "<a href=\"logout.jsp\">Logout</a>";
// Actually set the logged in indicator
clientApi.authentication.setLoggedInIndicator(contextId, java.util.regex.Pattern.quote(loggedInIndicator));
// Check out the logged in indicator that is set
System.out.println("Configured logged in indicator regex: "
+ ((ApiResponseElement) clientApi.authentication.getLoggedInIndicator(contextId)).getValue());
}
private static void setFormBasedAuthenticationForBodgeit(ClientApi clientApi) throws ClientApiException,
UnsupportedEncodingException {
// Setup the authentication method
String loginUrl = "http://localhost:8090/bodgeit/login.jsp";
String loginRequestData = "username={%username%}&password={%password%}";
// Prepare the configuration in a format similar to how URL parameters are formed. This
// means that any value we add for the configuration values has to be URL encoded.
StringBuilder formBasedConfig = new StringBuilder();
formBasedConfig.append("loginUrl=").append(URLEncoder.encode(loginUrl, "UTF-8"));
formBasedConfig.append("&loginRequestData=").append(URLEncoder.encode(loginRequestData, "UTF-8"));
System.out.println("Setting form based authentication configuration as: "
+ formBasedConfig.toString());
clientApi.authentication.setAuthenticationMethod(contextId, "formBasedAuthentication",
formBasedConfig.toString());
// Check if everything is set up ok
System.out
.println("Authentication config: " + clientApi.authentication.getAuthenticationMethod(contextId).toString(0));
}
private static String setUserAuthConfigForBodgeit(ClientApi clientApi) throws ClientApiException, UnsupportedEncodingException {
// Prepare info
String user = "Test User";
String username = "[email protected]";
String password = "weakPassword";
// Make sure we have at least one user
String userId = extractUserId(clientApi.users.newUser(contextId, user));
// Prepare the configuration in a format similar to how URL parameters are formed. This
// means that any value we add for the configuration values has to be URL encoded.
StringBuilder userAuthConfig = new StringBuilder();
userAuthConfig.append("username=").append(URLEncoder.encode(username, "UTF-8"));
userAuthConfig.append("&password=").append(URLEncoder.encode(password, "UTF-8"));
System.out.println("Setting user authentication configuration as: " + userAuthConfig.toString());
clientApi.users.setAuthenticationCredentials(contextId, userId, userAuthConfig.toString());
clientApi.users.setUserEnabled(contextId, userId, "true");
clientApi.forcedUser.setForcedUser(contextId, userId);
clientApi.forcedUser.setForcedUserModeEnabled(true);
// Check if everything is set up ok
System.out.println("Authentication config: " + clientApi.users.getUserById(contextId, userId).toString(0));
return userId;
}
private static String extractUserId(ApiResponse response) {
return ((ApiResponseElement) response).getValue();
}
private static void scanAsUser(ClientApi clientApi, String userId) throws ClientApiException {
clientApi.spider.scanAsUser(contextId, userId, target, null, "true", null);
}
/**
* The main method.
*
* @param args the arguments
* @throws ClientApiException
* @throws UnsupportedEncodingException
*/
public static void main(String[] args) throws ClientApiException, UnsupportedEncodingException {
ClientApi clientApi = new ClientApi(ZAP_ADDRESS, ZAP_PORT, ZAP_API_KEY);
setIncludeAndExcludeInContext(clientApi);
setFormBasedAuthenticationForBodgeit(clientApi);
setLoggedInIndicator(clientApi);
String userId = setUserAuthConfigForBodgeit(clientApi);
scanAsUser(clientApi, userId);
}
}
# To include in default context
curl 'http://localhost:8080/JSON/context/action/includeInContext/?contextName=Default+Context®ex=http%3A%2F%2Flocalhost%3A8090%2Fbodgeit.*'
# Set login details (URL Encoded)
curl 'http://localhost:8080/JSON/authentication/action/setAuthenticationMethod/?contextId=1&authMethodName=formBasedAuthentication&authMethodConfigParams=loginUrl%3Dhttp%3A%2F%2Flocalhost%3A8090%2Fbodgeit%2Flogin.jsp%26loginRequestData%3Dusername%253D%257B%2525username%2525%257D%2526password%253D%257B%2525password%2525%257D'
# To set the login indicator
curl 'http://localhost:8080/JSON/authentication/action/setLoggedInIndicator/?contextId=1&loggedInIndicatorRegex=%5CQ%3Ca+href%3D%22logout.jsp%22%3ELogout%3C%2Fa%3E%5CE'
# To create a user (The first user id is: 0)
curl 'http://localhost:8080/JSON/users/action/newUser/?contextId=1&name=Test+User'
# To add the credentials for the user
curl 'http://localhost:8080/JSON/users/action/setAuthenticationCredentials/?contextId=1&userId=0&authCredentialsConfigParams=username%3Dtest%40example.com%26password%3DweakPassword'
# To enable the user
curl 'http://localhost:8080/JSON/users/action/setUserEnabled/?contextId=1&userId=0&enabled=true'
# To set forced user
curl 'http://localhost:8080/JSON/forcedUser/action/setForcedUser/?contextId=1&userId=0'
# To enable forced user mode
curl 'http://localhost:8080/JSON/forcedUser/action/setForcedUserModeEnabled/?boolean=true'
The following example performs a simple form-based authentication using the Bodgeit vulnerable application. It's recommended that you configure the authentication via the desktop UI before attempting the APIs.
Setup Target Application
Bodgeit uses a simple form-based authentication to authenticate the users to the application. Use the following command
to start a docker instance of the Bodgeit application: docker run --rm -p 8090:8080 -i -t psiinon/bodgeit
Register a User
Register a user in the application by navigating to the following URL: http://localhost:8090/bodgeit/register.jsp. For the purpose of this example, use the following credentials.
- username: [email protected]
- password: weakPass
Login
After registering the user, browse (proxied via ZAP) to the following URL (http://localhost:8090/bodgeit/login.jsp),
and log in to the application. When you log in to the application, the request will be added to the History
tab in ZAP.
Search for the POST request to the following URL: http://localhost:8090/bodgeit/login.jsp.
Right-click on the post request, and select Flag as Context -> Default Context : Form based Login Request
option. This will
open the context authentication editor. You can notice it has auto-selected the form-based authentication, auto-filled the login URL, and the post data.
Select the correct form parameter as the username and password in the dropdown and click Ok.
Now you need to inform ZAP whether the application is logged in or out. The Bodgeit application includes the logout URL
<a href="logout.jsp">Logout</a>
as the successful response. You can view this by navigating to the response tab of the login request.
Highlight the text and right click and select the Flag as Context -> Default Context, Loggedin Indicator
option. This will autofill
the regex needed for the login indicator. The following image shows the completed set up for the authentication tab of the context menu.
Now let's add the user credentials by going to the context -> users -> Add
section. After adding the credentials, enable
the "Forced User"
mode in the desktop UI to forcefully authenticate the user prior to the testing of the application.
Now let's test the authentication by performing an authenticated Spidering with ZAP. To accomplish this, go to the Spider and select the default
context and the test user
to perform the authentication. After this, you should see the Spider crawling all the protected resources.
Steps to Reproduce via API
If you have configured the authentication via the desktop UI, then export the context and import it using the importContext API. Otherwise follow the steps below to configure the authentication setting for the context.
Include in Context
In order to proceed with authentication, the URL of the application should be added to the context. As Bodgeit is available via http://localhost:8090/bodgeit use the includeInContext API to add the URL to a context.
Set Authentication Method
Use the setAuthenticationMethod to set up the authentication method and
the configuration parameters. The setAuthenticationMethod
takes contextId
, authMethodName
, and authMethodConfigParams
as
parameters. As Bodgeit uses the form-based authentication, use formBasedAuthentication
for the authMethodName and use the contextID
from Step 1 as the contextId
parameter.
The authMethodConfigParams requires the loginUrl and loginRequestData. Therefore you should set the values to authMethodConfigParams in the following format:
authMethodConfigParams : loginUrl=http://localhost:8090/bodgeit/login.jsp&loginRequestData=username%3D%7B%25username%25%7D%26password%3D%7B%25password%25%7D
The values for authMethodConfigParams parameters must be URL encoded, in this case loginRequestData is username={%username%}&password={%password%}
.
Set Login and Logout Indicators
Use the setLoggedOutIndicator to set the logout indicators of the application.
The Following is the regex command to match the successful response with the Bodgeit application.
\Q<a href=\"logout.jsp\"></a>\E
Create User and Enable Forced User Mode
Now add the user credentials via the setAuthenticationCredentials API and use the SetForcedUserModeEnabled to enable the forced user mode in ZAP.
Script Based Authentication
#!/usr/bin/env python
import urllib.parse
from zapv2 import ZAPv2
context_id = 1
apikey = 'changeMe'
context_name = 'Default Context'
target_url = 'http://localhost:3000'
# By default ZAP API client will connect to port 8080
zap = ZAPv2(apikey=apikey)
# Use the line below if ZAP is not listening on port 8080, for example, if listening on port 8090
# zap = ZAPv2(apikey=apikey, proxies={'http': 'http://127.0.0.1:8090', 'https': 'http://127.0.0.1:8090'})
def set_include_in_context():
include_url = 'http://localhost:3000.*'
zap.context.include_in_context(context_name, include_url)
zap.context.exclude_from_context(context_name, '\\Qhttp://localhost:3000/login.php\\E')
zap.context.exclude_from_context(context_name, '\\Qhttp://localhost:3000/logout.php\\E')
zap.context.exclude_from_context(context_name, '\\Qhttp://localhost:3000/setup.php\\E')
zap.context.exclude_from_context(context_name, '\\Qhttp://localhost:3000/security.php\\E')
print('Configured include and exclude regex(s) in context')
def set_logged_in_indicator():
logged_in_regex = "\\Q<a href=\"logout.php\">Logout</a>\\E"
logged_out_regex = "(?:Location: [./]*login\\.php)|(?:\\Q<form action=\"login.php\" method=\"post\">\\E)"
zap.authentication.set_logged_in_indicator(context_id, logged_in_regex)
zap.authentication.set_logged_out_indicator(context_id, logged_out_regex)
print('Configured logged in indicator regex ')
def set_script_based_auth():
post_data = "username={%username%}&password={%password%}" + "&Login=Login&user_token={%user_token%}"
post_data_encoded = urllib.parse.quote(post_data)
login_request_data = "scriptName=auth-dvwa.js&Login_URL=http://localhost:3000/login.php&CSRF_Field=user_token" \
"&POST_Data=" + post_data_encoded
zap.authentication.set_authentication_method(context_id, 'scriptBasedAuthentication', login_request_data)
print('Configured script based authentication')
def set_user_auth_config():
user = 'Administrator'
username = 'admin'
password = 'password'
user_id = zap.users.new_user(context_id, user)
user_auth_config = 'Username=' + urllib.parse.quote(username) + '&Password=' + urllib.parse.quote(password)
zap.users.set_authentication_credentials(context_id, user_id, user_auth_config)
zap.users.set_user_enabled(context_id, user_id, 'true')
zap.forcedUser.set_forced_user(context_id, user_id)
zap.forcedUser.set_forced_user_mode_enabled('true')
print('User Auth Configured')
return user_id
def upload_script():
script_name = 'auth-dvwa.js'
script_type = 'authentication'
script_engine = 'Oracle Nashorn'
file_name = '/tmp/auth-dvwa.js'
charset = 'UTF-8'
zap.script.load(script_name, script_type, script_engine, file_name, charset=charset)
def start_spider(user_id):
zap.spider.scan_as_user(context_id, user_id, target_url, recurse='true')
print('Started Scanning with Authentication')
set_include_in_context()
upload_script()
set_script_based_auth()
set_logged_in_indicator()
user_id_response = set_user_auth_config()
start_spider(user_id_response)
public class ScriptAuth {
private static final String ZAP_ADDRESS = "localhost";
private static final int ZAP_PORT = 8080;
private static final String ZAP_API_KEY = null;
private static final String contextId = "1";
private static final String contextName = "Default Context";
private static final String target = "http://localhost:3000";
private static void setIncludeAndExcludeInContext(ClientApi clientApi) throws UnsupportedEncodingException, ClientApiException {
String includeInContext = "http://localhost:3000.*";
clientApi.context.includeInContext(contextName, includeInContext);
clientApi.context.excludeFromContext(contextName, "\\Qhttp://localhost:3000/login.php\\E");
clientApi.context.excludeFromContext(contextName, "\\Qhttp://localhost:3000/logout.php\\E");
clientApi.context.excludeFromContext(contextName, "\\Qhttp://localhost:3000/setup.php\\E");
clientApi.context.excludeFromContext(contextName, "\\Qhttp://localhost:3000/security.php\\E");
}
private static void setLoggedInIndicator(ClientApi clientApi) throws UnsupportedEncodingException, ClientApiException {
// Prepare values to set, with the logged in indicator as a regex matching the logout link
String loggedInIndicator = "\\Q<a href=\"logout.php\">Logout</a>\\E";
String loggedOutIndicator = "(?:Location: [./]*login\\.php)|(?:\\Q<form action=\"login.php\" method=\"post\">\\E)";
// Actually set the logged in indicator
clientApi.authentication.setLoggedInIndicator( contextId, loggedInIndicator);
clientApi.authentication.setLoggedOutIndicator( contextId, loggedOutIndicator);
// Check out the logged in indicator that is set
System.out.println("Configured logged in indicator regex: "
+ ((ApiResponseElement) clientApi.authentication.getLoggedInIndicator(contextId)).getValue());
}
private static void setScriptBasedAuthenticationForDVWA(ClientApi clientApi) throws ClientApiException,
UnsupportedEncodingException {
String postData = "username={%username%}&password={%password%}" + "&Login=Login&user_token={%user_token%}";
String postDataEncode = URLEncoder.encode(postData, "UTF-8");
String sb = ("scriptName=auth-dvwa.js&Login_URL=http://localhost:3000/login.php&CSRF_Field=user_token&")
.concat("POST_Data=").concat(postDataEncode);
clientApi.authentication.setAuthenticationMethod(contextId, "scriptBasedAuthentication", sb.toString());
System.out.println("Authentication config: " + clientApi.authentication.getAuthenticationMethod(contextId).toString(0));
}
private static String setUserAuthConfigForDVWA(ClientApi clientApi) throws ClientApiException, UnsupportedEncodingException {
// Prepare info
String user = "Admin";
String username = "admin";
String password = "password";
// Make sure we have at least one user
String userId = extractUserId(clientApi.users.newUser(contextId, user));
// Prepare the configuration in a format similar to how URL parameters are formed. This
// means that any value we add for the configuration values has to be URL encoded.
StringBuilder userAuthConfig = new StringBuilder();
userAuthConfig.append("Username=").append(URLEncoder.encode(username, "UTF-8"));
userAuthConfig.append("&Password=").append(URLEncoder.encode(password, "UTF-8"));
System.out.println("Setting user authentication configuration as: " + userAuthConfig.toString());
clientApi.users.setAuthenticationCredentials(contextId, userId, userAuthConfig.toString());
clientApi.users.setUserEnabled(contextId, userId, "true");
clientApi.forcedUser.setForcedUser(contextId, userId);
clientApi.forcedUser.setForcedUserModeEnabled(true);
// Check if everything is set up ok
System.out.println("Authentication config: " + clientApi.users.getUserById(contextId, userId).toString(0));
return userId;
}
private static void uploadScript(ClientApi clientApi) throws ClientApiException {
String script_name = "auth-dvwa.js";
String script_type = "authentication";
String script_engine = "Oracle Nashorn";
String file_name = "/tmp/auth-dvwa.js";
clientApi.script.load(script_name, script_type, script_engine, file_name, null);
}
private static String extractUserId(ApiResponse response) {
return ((ApiResponseElement) response).getValue();
}
private static void scanAsUser(ClientApi clientApi, String userId) throws ClientApiException {
clientApi.spider.scanAsUser(contextId, userId, target, null, "true", null);
}
/**
* The main method.
*
* @param args the arguments
* @throws ClientApiException
* @throws UnsupportedEncodingException
*/
public static void main(String[] args) throws ClientApiException, UnsupportedEncodingException {
ClientApi clientApi = new ClientApi(ZAP_ADDRESS, ZAP_PORT, ZAP_API_KEY);
uploadScript(clientApi);
setIncludeAndExcludeInContext(clientApi);
setScriptBasedAuthenticationForDVWA(clientApi);
setLoggedInIndicator(clientApi);
String userId = setUserAuthConfigForDVWA(clientApi);
scanAsUser(clientApi, userId);
}
}
# To add in default context
curl 'http://localhost:8080/JSON/context/action/includeInContext/?contextName=Default+Context®ex=http%3A%2F%2Flocalhost%3A3000.*'
# To add exclude in context
curl 'http://localhost:8080/JSON/context/action/excludeFromContext/?contextName=Default+Context®ex=%5CQhttp%3A%2F%2Flocalhost%3A3000%2Flogout.php%5CE'
# To upload the script
curl 'http://localhost:8080/JSON/script/action/load/?scriptName=auth-dvwa.js&scriptType=authentication&scriptEngine=Oracle+Nashorn&fileName=%2Ftmp%2Fauth-dvwa.js&scriptDescription=&charset='
# To set up authentication information
curl 'http://localhost:8080/JSON/authentication/action/setAuthenticationMethod/?contextId=1&authMethodName=scriptBasedAuthentication&authMethodConfigParams=scriptName%3Dauth-dvwa.js%26Login_URL%3Dhttp%3A%2F%2Flocalhost%3A3000%2Flogin.php%26CSRF_Field%3Duser_token%26POST_Data%3Dusername%253D%257B%2525username%2525%257D%2526password%253D%257B%2525password%2525%257D%2526Login%253DLogin%2526user_token%253D%257B%2525user_token%2525%257D'
# To set the login indicator
curl 'http://localhost:8080/JSON/authentication/action/setLoggedInIndicator/?contextId=1&loggedInIndicatorRegex=%5CQ%3Ca+href%3D%5C%22logout.php%5C%22%3ELogout%3C%2Fa%3E%5CE'
# To set logged out indicator
curl 'http://localhost:8080/JSON/authentication/action/setLoggedOutIndicator/?contextId=1&loggedOutIndicatorRegex=%28%3F%3ALocation%3A+%5B.%2F%5D*login%5C.php%29%7C%28%3F%3A%5CQ%3Cform+action%3D%22login.php%22+method%3D%22post%22%3E%5CE%29'
# To create a user (The first user id is: 0)
curl 'http://localhost:8080/JSON/users/action/newUser/?contextId=1&name=Test+User'
# To add the credentials for the user
curl 'http://localhost:8080/JSON/users/action/setAuthenticationCredentials/?contextId=1&userId=0&authCredentialsConfigParams=Username%3Dadmin%26Password%3Dpassword'
# To enable the user
curl 'http://localhost:8080/JSON/users/action/setUserEnabled/?contextId=1&userId=0&enabled=true'
# To set forced user
curl 'http://localhost:8080/JSON/forcedUser/action/setForcedUser/?contextId=1&userId=0'
# To enable forced user mode
curl 'http://localhost:8080/JSON/forcedUser/action/setForcedUserModeEnabled/?boolean=true'
ZAP has scripting support for most of the popular languages. The following are some of the scripting languages supported by ZAP.
- JavaScript
- Python
- Ruby
- Groovy
- Zest
ZAP has an Add-on Marketplace where you can get add-ons for additional scripting engines. Click the red, blue, & green box stacked icon in ZAP to bring up the marketplace modal. After it pops up, switch to the Marketplace and install the appropriate scripting engine.
The following example performs a script based authentication for the Damn Vulnerable Web Application. Similar to the
Bodgeit example DVWA also uses POST
request to authenticate the users. But apart from username and password DVWA sends an
additional token to protect against the Cross-Site request forgery attacks. This token is obtained from the landing page.
The following image shows the embedded token in the login page.
If the token is not included with the login script as a POST parameter, the request will be rejected. In order to send this token, lets use the script based authentication technique. The authentication script will parse the HTML content and extract the token and append it in the POST request.
Setup Target Application
Use the following docker command to start the DVWA. In order to fully complete the setup you need to login (http://localhost:3000) to the application and press the configure button. Use the default credentials of the application to login and finish the setup (Username: admin, Password: password).
docker run --rm -it -p 3000:80 vulnerables/web-dvwa
Create the Script
Go to the Scripts tab and create a new Authentication script. Provide a name to the script and select
JavaScript/Nashorn
as the engine and replace the script contents with the following script.
Configure Context Authentication
Now navigate to http://localhost:3000 and add the URL to the default context. Then double click on the default context and select the script-based authentication as the authentication method. Now load the script from the drop down provided and the following parameter values.
- Login URL:
http://localhost:3000/login.php
- CSRF Field:
user_token
- POST Data:
username={%username%}&password={%password%}&Login=Login&user_token={%user_token%}
- Logged in regex:
\Q<a href="logout.php">Logout</a>\E
- Logged out regex:
(?:Location: [./]*login\.php)|(?:\Q<form action="login.php" method="post">\E)
Now add the default admin user to the users tab and enable the user.
- User Name:
Administrator
- Username:
admin
- Password:
password
As the login operation is performed by the script lets add the login URL as out of context. Additionally you should add pages which will disrupt the login process to out of context. For example, by not excluding the logout URL, the Spider will trigger unwanted logouts (ex.: logoff/password change, etc.). Therefore, add the following regex(s) to the "Exclude from Context" tab.
\Qhttp://localhost:3000/login.php\E
\Qhttp://localhost:3000/logout.php\E
\Qhttp://localhost:3000/setup.php\E
\Qhttp://localhost:3000/security.php\E
Now you can enable the forced user mode and start the Spider or manually select the admin user for the Spider scan. If you have selected the forced user mode and also manually selected a user; then the manually selected user/context will supersede the forced user mode. After this you should see the Spider crawling all the protected resources. The authentication results will be available through the Output panel and you can also select the login POST request in the History tab to verify the token has been sent to the application.
Steps to Reproduce via API
Use the scripts endpoint to upload the script file. Thereafter the configurations are very similar to the form based authentication with the Bodgeit application. Use the includeInContext API to add the URL to the default context and use the setAuthenticationMethod to setup the authentication method and the configuration parameters. Finally use the users API to create the admin user. Refer the script in the right column on how to use the above APIs.
JSON Based Authentication
#!/usr/bin/env python
import urllib.parse
from zapv2 import ZAPv2
context_id = 1
apiKey = 'changeMe'
context_name = 'Default Context'
target_url = 'http://localhost:3000'
# By default ZAP API client will connect to port 8080
zap = ZAPv2(apikey=apiKey)
# Use the line below if ZAP is not listening on port 8080, for example, if listening on port 8090
# zap = ZAPv2(apikey=apiKey, proxies={'http': 'http://127.0.0.1:8090', 'https': 'http://127.0.0.1:8090'})
def set_include_in_context():
include_url = 'http://localhost:3000.*'
zap.context.include_in_context(context_name, include_url)
print('Configured include and exclude regex(s) in context')
def set_logged_in_indicator():
logged_in_regex = '\Q<a href="logout.php">Logout</a>\E'
logged_out_regex = '(?:Location: [./]*login\.php)|(?:\Q<form action="login.php" method="post">\E)'
zap.authentication.set_logged_in_indicator(context_id, logged_in_regex)
zap.authentication.set_logged_out_indicator(context_id, logged_out_regex)
print('Configured logged in indicator regex: ')
def set_json_based_auth():
login_url = "http://localhost:3000/rest/user/login"
login_request_data = 'email={%username%}&password={%password%}'
json_based_config = 'loginUrl=' + urllib.parse.quote(login_url) + '&loginRequestData=' + urllib.parse.quote(login_request_data)
zap.authentication.set_authentication_method(context_id, 'jsonBasedAuthentication', json_based_config)
print('Configured form based authentication')
def set_user_auth_config():
user = 'Test User'
username = '[email protected]'
password = 'testtest'
user_id = zap.users.new_user(context_id, user)
user_auth_config = 'username=' + urllib.parse.quote(username) + '&password=' + urllib.parse.quote(password)
zap.users.set_authentication_credentials(context_id, user_id, user_auth_config)
def add_script():
script_name = 'jwtScript.js'
script_type = 'httpsender'
script_engine = 'Oracle Nashorn'
file_name = '/tmp/jwtScript.js'
zap.script.load(script_name, script_type, script_engine, file_name)
set_include_in_context()
add_script()
set_json_based_auth()
set_logged_in_indicator()
set_user_auth_config()
public class JSONAuth {
private static final String ZAP_ADDRESS = "localhost";
private static final int ZAP_PORT = 8090;
private static final String ZAP_API_KEY = null;
private static final String contextId = "1";
private static final String target = "http://localhost:3000";
private static void setJSONBasedAuthentication(ClientApi clientApi) throws ClientApiException, UnsupportedEncodingException {
String loginUrl = "http://localhost:3000/rest/user/login";
String loginRequestData = "username={%username%}&password={%password%}";
// Prepare the configuration in a format similar to how URL parameters are formed. This
// means that any value we add for the configuration values has to be URL encoded.
StringBuilder jsonBasedConfig = new StringBuilder();
jsonBasedConfig.append("loginUrl=").append(URLEncoder.encode(loginUrl, "UTF-8"));
jsonBasedConfig.append("&loginRequestData=").append(URLEncoder.encode(loginRequestData, "UTF-8"));
System.out.println("Setting JSON based authentication configuration as: " + jsonBasedConfig.toString());
clientApi.authentication.setAuthenticationMethod(contextId, "jsonBasedAuthentication", jsonBasedConfig.toString());
// Check if everything is set up ok
System.out.println("Authentication config: " + clientApi.authentication.getAuthenticationMethod(contextId).toString(0));
}
private static String setUserAuthConfig(ClientApi clientApi) throws ClientApiException, UnsupportedEncodingException {
// Prepare info
String user = "Test User";
String username = "[email protected]";
String password = "testtest";
// Make sure we have at least one user
String userId = extractUserId(clientApi.users.newUser(contextId, user));
// Prepare the configuration in a format similar to how URL parameters are formed. This
// means that any value we add for the configuration values has to be URL encoded.
StringBuilder userAuthConfig = new StringBuilder();
userAuthConfig.append("username=").append(URLEncoder.encode(username, "UTF-8"));
userAuthConfig.append("&password=").append(URLEncoder.encode(password, "UTF-8"));
System.out.println("Setting user authentication configuration as: " + userAuthConfig.toString());
clientApi.users.setAuthenticationCredentials(contextId, userId, userAuthConfig.toString());
clientApi.users.setUserEnabled(contextId, userId, "true");
clientApi.forcedUser.setForcedUser(contextId, userId);
clientApi.forcedUser.setForcedUserModeEnabled(true);
// Check if everything is set up ok
System.out.println("Authentication config: " + clientApi.users.getUserById(contextId, userId).toString(0));
return userId;
}
private static void addScript(ClientApi clientApi) throws ClientApiException {
String script_name = "jwtScript.js";
String script_type = "httpsender";
String script_engine = "Oracle Nashorn";
String file_name = "/tmp/authscript.js";
clientApi.script.load(script_name, script_type, script_engine, file_name, null);
}
private static void scanAsUser(ClientApi clientApi, String userId) throws ClientApiException {
clientApi.spider.scanAsUser(contextId, userId, target, null, "true", null);
}
private static String extractUserId(ApiResponse response) {
return ((ApiResponseElement) response).getValue();
}
/**
* The main method.
*
* @param args the arguments
* @throws ClientApiException
* @throws UnsupportedEncodingException
*/
public static void main(String[] args) throws ClientApiException, UnsupportedEncodingException {
ClientApi clientApi = new ClientApi(ZAP_ADDRESS, ZAP_PORT, ZAP_API_KEY);
addScript(clientApi);
setJSONBasedAuthentication(clientApi);
String userId = setUserAuthConfig(clientApi);
scanAsUser(clientApi, userId);
}
}
# To add the script
curl 'http://localhost:8080/JSON/script/action/load/?scriptName=authscript.js&scriptType=authentication&scriptEngine=Oracle+Nashorn&fileName=%2Ftmp%2Fauthscript.js&scriptDescription=&charset=UTF-8'
# To set up authentication information
curl 'http://localhost:8080/JSON/authentication/action/setAuthenticationMethod/?contextId=1&authMethodName=scriptBasedAuthentication&authMethodConfigParams=scriptName%3Dauthscript.js%26Login+URL%3Dhttp%3A%2F%2Flocalhost%3A3000%2Flogin.php%26CSRF+Field%3Duser_token%26POST+Data%3Dusername%3D%7B%25username%25%7D%26password%3D%7B%25password%25%7D%26Login%3DLogin%26user_token%3D%7B%25user_token%25%7D'
# To set the login indicator
curl 'http://localhost:8080/JSON/authentication/action/setLoggedInIndicator/?contextId=1&loggedInIndicatorRegex=%5CQ%3Ca+href%3D%22logout.jsp%22%3ELogout%3C%2Fa%3E%5CE'
# To create a user (The first user id is: 0)
curl 'http://localhost:8080/JSON/users/action/newUser/?contextId=1&name=Test+User'
# To add the credentials for the user
curl 'http://localhost:8080/JSON/users/action/setAuthenticationCredentials/?contextId=1&userId=0&authCredentialsConfigParams=username%3Dtest%40example.com%26password%3DweakPassword'
# To enable the user
curl 'http://localhost:8080/JSON/users/action/setUserEnabled/?contextId=1&userId=0&enabled=true'
# To set forced user
curl 'http://localhost:8080/JSON/forcedUser/action/setForcedUser/?contextId=1&userId=0'
# To enable forced user mode
curl 'http://localhost:8080/JSON/forcedUser/action/setForcedUserModeEnabled/?boolean=true'
The following example performs a script based authentication for the OWASP Juice Shop. Juice Shop is a modern application and it contrary to the previous examples the protected resources are accessed by sending an authorization header(JSON web token).
Setup Target Application
Use the following docker command to start the OWASP Juice Shop.
docker run -d -p 3000:3000 bkimminich/juice-shop
Register User
Register a user in the application by navigating to the following URL: http://localhost:3000/#/register. For the purpose of this example, use the following information.
- Email: [email protected]
- Password: testtest
- Security Question: Select Your eldest siblings middle name (enter any text)
Login
After registering the user, browse (proxied via ZAP) to the following URL (http://localhost:3000/#/login)
and login to the application. When you login to the application the request will be added to the History
tab in ZAP.
Search for the POST request to the following URL: http://localhost:3000/rest/user/login.
Right-click on the POST request, and select Flag as Context -> Default Context : JSON-based Auth Login Request
option. This will open the context authentication editor.
You can notice it has auto selected the JSON-based authentication, auto-filled the login URL and the post data.
Select the correct JSON attribute as the username and password in the dropdown and click Ok. The following image shows the completed setup for the authentication tab of the context menu.
Exit the context editor and go back to the login request. You will notice in the login response headers there is no set cookie. In the response body you will find the response data.
The request that follows is GET http://localhost:3000/rest/user/whoami which you will notice has a header called Authorization
which uses the token from the response body of the login request. In body of the response, you should see some info about your
user: {"user":{"id":1,"email":"[email protected]"}}
. If you visit that url directly, with your browser, the content of the page is
{"user":{}}
- the Authorization header is not added to request and it is not authenticated.
This request is initiated as a client side AJAX request using a spec called JWT. Currently ZAP doesn't have a notion of the Authorization header for sessions so this is where ZAPs scripting engine will come into play! With ZAP's scripting engine, we can easily add to or augment it's functionality.
Add the Script
Now in the left sidebar next to the Sites click + to add Scripts. This will bring into focus in the sidebar. Drill into
Scripting > Scripts > HTTP Sender
. Then right click on the HTTP Sender and with that context menu click New Script. Name
the script jwtScript.js
and set the Script Engine to ECMAScript (do not check the box that says enable).
Now that we have that script setup, let's test it out! Go ahead and visit the login page http://localhost:3000/#/login
with the browser launched with ZAP and use your test account to login. After you login, back in ZAP in the Script Console
tab you should see a message that says Capturing token for JWT
.
Now visit http://localhost:3000/rest/user/whoami directly in the browser and you will see you get JSON data with the
user {"user":{"id":9,"email":"[email protected]"}}
! Back in the Script Console you will see the script went ahead and added the header!
Now that we have a script ensuring we have the right headers & cookies for authentication, let's go ahead and try spidering the application again! So let's use the same settings we used earlier from the AJAX Spider Settings. Once the scan starts, check out the browser running the scan - you'll notice the user is logged in! (Logout & Your Basket links visible). Now the AJAX Spider will pick up some new paths that it couldn't find before!
Steps to Reproduce via API
Use the scripts endpoint to add the script file. Thereafter the configurations are very similar to the form based authentication
with the Bodgeit application. Use the includeInContext API to add the URL to the default context
and use the setAuthenticationMethod to setup the authentication method and
the configuration parameters. Finally use the users API to create the admin user. Refer the script in the right column
on how to use the above APIs.
Advanced Settings
The following section shows advanced configurations of the APIs.
Spider Settings
The following image shows the advanced configurations tab of Spider in the desktop UI.
Use the setOptionMaxDepth API to set the maximum depth the spider can crawl, where 0 refers to unlimited depth. The setOptionMaxChildren API sets the maximum number of child nodes (per node) that can be crawled, where 0 means no limit. The setOptionMaxDuration API can be used to set the maximum duration the Spider will run. Use the setOptionMaxParseSizeBytes API to limit the amount of data parsed by the spider. This allows the spider to skip big responses/files.
View the Spider section in the API Catalogue for additional APIs.
Ajax Spider Settings
The following image shows the advanced configurations tab of Ajax Spider in the desktop UI.
Similar to the Spider API, the Ajax spider also provides APIs to set the maximum depth, crawl state, and maximum duration.
Passive Scan Settings
The scanning rules can be enabled/disabled using the enableScanners and disableScanners APIs. Also use the setScanOnlyInScope API to limit the passive scanning to a scope. View the advanced section to learn how to configure a context or scope using ZAP APIs.
Passive scanning can also be used to automatically add tags and raise alerts for potential issues. A set of rules for automatic tagging are provided by default. These can be changed, deleted or added to via the Options Passive Scan Tags Screen.
Active Scan Settings
General Options
The general options for Active Scan can be configured using the options tab in the desktop UI shown below.
Use the setOptionMaxScanDurationInMins API to limit the duration of scan and setOptionMaxRuleDurationInMins API to limit the time of individual active scan rules. This can be used to prevent rules from running for an excessive amount of time.
Use the setOptionHostPerScan API to set the maximum number of hosts that will be scanned at the same time. Furthermore, use the setOptionThreadPerHost API to set the number of threads the scanner will use per host. Increasing both of these values will reduce the active scanning time but this may put extra strain on the server ZAP is running on.
Use the setOptionDelayInMs API to delay each request from ZAP in milliseconds. Setting this to a non zero value will increase the time an active scan takes, but will put less of a strain on the target host. View the Active Scan section in the API Catalogue for additional information regarding the APIs.
Input Vectors
Input vectors refers to the elements that Active Scan will target. Specifying the exact elements to target will improve the scanning time and accuracy of the results. For example, for the following configuration the optionTargetParamsInjectable and optionTargetParamsEnabledRPC will yield the results of 11 and 39. The numbers can be deconstructed in the following manner:
- 1+2+8 = 11 [Query String(1), Post Data(2), HTTP Headers(8)]
- 1+2+4+32 = 39 [Multipart (1), XML (2), JSON (4), DWR (32)]
Thus, to change the values of Injectable targets
and Input Vector Handlers
calculate the exact values and
use the setoptiontargetparamsinjectable and setoptiontargetparamsenabledrpc APIs accordingly.
The Add URL query parameter
option under the Injectable Tragets
sets whether or not the active scanner should add a query param
to GET requests which do not have parameters to start with. This option can be enabled using the setoptionaddqueryparam API.
Technology
The Technology tab allows you to specify which types of technologies to scan. Un-selecting technologies that you know are not present in the target application may speed up the scan, as rules which target that technology can skip those tests. For an example, if the target web application does not have a database then removing it will increase the performance of the Active Scan.
Use the includeContextTechnologies and excludeContextTechnologies API endpoints to include and exclude the technology list from the context.
Policy
A scan policy defines exactly which rules are run as part of an active scan. It also defines how these rules run influencing how many requests are made and how likely potential issues are to be flagged. You can define as many scan policies as you like and select the most appropriate one when you start the scan via the Active Scan.
The Policy tab shown in the above image allows you to override any of the settings specified in the selected scan policy.
Contributions Welcome!
Contributions are welcome! There are many ways you can contribute to ZAP, both as a user and as a developer.
1. Creating High-level API/Automation Docs
Create high level docs or example guides on how to use the APIs to perform any action/view with ZAP.
The source files for the ZAP API documentation is hosted on GitHub. The repository is available at Github.
The source files are in Markdown
(md) format.
2. REST API Documentation
ZAP's rest API is documented using the OpenAPI specification. The specification could be improved by enhancing the description of parameters/ results/ data types etc. The open API specification is available via GitHub.
3. Feature Documentation
Feature documentation related to ZAP is available on ZAP wiki, ZAP user guide, and ZAP extensions repositories.
How to Contribute
The ZAP API documentation is developed according to the docs as code philosophy. The most direct and effective way to contribute to the docs is to submit a pull request(PR) or raise an issue in the GitHub repository containing the docs content that you want to change.
There are 2 different workflows which you can use to make changes or PRs. Use what you are most comfortable with!
1. "Edit this File on GitHub"
You can edit the documentation in the browser via navigating to the relevant source file and clicking the edit this file button. This workflow is recommended for minor changes. For example correcting typos/spellings/grammar etc. For extensive changes, please use the local setup and editing option.
2. Local Setup and Editing
You can fork the repository on GitHub and submit the changes via pull requests. Please see the local setup for API docs section to setup and render the docs locally.
Local Setup for API Docs
ZAP uses git for its code repository. To submit a documentation update, use the following steps:
1. Clone the ZAP Docs repository:
git clone https://github.com/zaproxy/zap-api-docs
2. Navigate to the cloned repository:
cd zap-api-docs
3. Use the following guide to install Ruby
4. To install the dependencies: $ bundle install
5. To start the server: $ bundle exec middleman server
Documentation Style
This style guide provides a set of editorial guidelines for anyone writing documentation for ZAP.
General Guidelines
Check for the grammar and spellings before sending the pull request. Most of the modern editors comes with a spell check option or plugin.
Use a friendly and conversational tone. Always use simple sentences. If the sentence is lengthy try to break it in to smaller sentences. Also avoid sentences with complicated words or jargon.
Write positively and avoid using negative sentences.
- Recommended: If you are not familiar with the Spider, then read this documentation.
- Not Recommended: Read this documentation to get familiarized with the Spider.
The documentation should be neutral, without judgments, opinions. For example, words like "easily" or "simple" come with a lot of assumptions. Things that are easier for you might be difficult for another person. Avoid this type of wordings when contributing to the document.
Language and Grammar
Abbreviation
Spell out the abbreviation or acronym before introducing them in the sentence. If the abbreviation is well known such as API or ZAP or HTML, you can use it without spelling it first.
Active Voice
In general use active voice when formulating the sentence instead of passive voice. A sentence written in the active voice will emphasize the person or thing who is performing an action (eg.The dog chased the ball). In contrast, the passive voice will highlight the recipient of the action (The ball was chased by the dog). Therefor use the passive voice, only when it's less important who or what completed the action and more important that the action was completed. For example:
- Recommended: The Spider crawls the URLs.
- Not recommended: The URLs are crawled by the Spider.
Gender References
Use gender neutral pronouns (they/their/them) when referring to a hypothetical person such as "a user with a logged in session". For example, instead of: - he or she, use they; - him or her, use them; - his or her, use their; - his or hers, use theirs; - himself or herself, use themselves;
Method Description
When you're writing reference documentation for a method, phrase the main method description in terms of what it does ("Gets," "Starts," "Creates," "Lists"), rather than what the developer would use it to do ("Get," "Start," "Create," "List").
- Recommended: action.scan: Starts the Spider on the specified URL.
- Not recommended: action.scan: Start the Spider on the specified URL.
Second Person
In general, use second person in your docs rather than first person. For example:
- Recommended: You are recommended to use the Spider.
- Not Recommended: We recommend to use the Spider.
Spellings
Use American spellings when contributing to the documentation.
Formatting
Capitalization:
- Use the Chicago manual for capitalization rules for the documentation.
- For titles of a section, Capitalize of the first letter of each word except for the closed-class words
such as determiners, pronouns, conjunctions, and prepositions. Use the following link for guidance.
- Recommended: The Spider Tutorial with APIs
- For normal sentences don't capitalize random words in the middle of the sentences.
Number formatting
- In general spell out the number if it starts a sentence or is less than ten or an ordinal number.
- Recommended: Seventeen requests has been intercepted by the passive scanner.
- Recommended: The passive scan showed nine warnings.
- Recommended: The fifth alert was a high priority alert.
- Use numerals for numbers higher than ten or fractions or unit prices.
- Recommended: The active scanner detected 24 issues.
- Recommended: The scanner took 23.4 seconds to complete the crawling.
- In general spell out the number if it starts a sentence or is less than ten or an ordinal number.
Punctuation
Commas
- Use oxford commas when writing a list of three or more items
- Recommended: The API can return the results in XML, JSON, and HTML.
- Not Recommended: The API can return the results in XML, JSON and HTML.
- Use oxford commas when writing a list of three or more items
Periods
- Do not add period to headings or titles.
- Avoid using periods at the end of URLs. Try to modify the sentence so the URL can be in the middle of the sentence.
- Do not add period to headings or titles.
Markdown Syntax
The API docs are created using standard markdown files. This section contains information regarding the syntax and linting of the Markdown files. Refer to the Slate documentation. Also refer to this document to properly lint the Markdown files.
Writing Code
Inline Code
Put `backticks
` around the following symbols when used in text:
- Data types:
json
,xml
,html
- File name:
test.py
,/path-to-your-data/xml/example-name
Code Block
Use three back ticks to open and close a code block. Specify the programming language after the first backtick group.
The documentation currently supports python
, java
, and shell
languages.
Troubleshooting
This section explains how to troubleshoot issues that might occur when interacting with the ZAP API.
Enable Useful Dev Options
While developing scripts/programs that interact with ZAP API it's recommended that the following ZAP API options are enabled, to have more information about possible errors:
Report permission errors via API
Report error details via API
The API response will then contain the details about why the API request was rejected or was not successful.
Common Errors
Wrong API Key or Address Not Allowed
//org.zaproxy.clientapi.core.ClientApiException: java.net.SocketException: Unexpected end of file from server
// at org.zaproxy.clientapi.core.ClientApi.callApiDom(ClientApi.java:366)
// at org.zaproxy.clientapi.core.ClientApi.callApi(ClientApi.java:350)
// at org.zaproxy.clientapi.gen.Spider.scan(Spider.java:242)
requests.exceptions.ProxyError: HTTPConnectionPool(host='127.0.0.1', port=8080): Max retries exceeded with
url: http://zap/JSON/spider/action/scan/?apikey=changeMe&url=https%3A%2F%2Fexample.com
(Caused by ProxyError('Cannot connect to proxy.', RemoteDisconnected('Remote end closed connection without response')))
By default, ZAP will close the connection without a response if an API request is not from an allowed address or the API key is wrong. If you get exceptions similar to the following ensure that the API client is using the correct API key and that the address is allowed.
No Connection to ZAP
//org.zaproxy.clientapi.core.ClientApiException: java.net.ConnectException: Connection refused: connect
// at org.zaproxy.clientapi.core.ClientApi.callApiDom(ClientApi.java:366)
// at org.zaproxy.clientapi.core.ClientApi.callApi(ClientApi.java:350)
// at org.zaproxy.clientapi.gen.Spider.scan(Spider.java:242)
// at ZAP_tests.Spider.main(Spider.java:25)
requests.exceptions.ProxyError: HTTPConnectionPool(host='127.0.0.1', port=8080): Max retries exceeded with
url: http://zap/JSON/spider/action/scan/?apikey=changeMe&url=https%3A%2F%2Fexample.com
(Caused by ProxyError('Cannot connect to proxy.', NewConnectionError('<urllib3.connection.HTTPConnection object at
0x101be78e0>: Failed to establish a new connection: [Errno 61] Connection refused')))
There are several reasons that the API client might not be able to connect to ZAP:
- ZAP is not yet started, some clients might have methods to wait for ZAP;
- ZAP is not listening on the address, for example, if the API client is connecting from an external machine then ZAP will have to listen on the external address (or all addresses
0.0.0.0
) - The API client is not configured with correct address/port;
Error: No Implementor
If you come across the No Implementor Error
while invoking the APIs: Check the necessary add-on or component is installed and enabled.
(For example if you receive "no_implementor" in relation to Ajax Spider calls, perhaps the Ajax Spider add-on isn't installed.)
API Catalogue
Scroll down for code samples, example requests and responses. Select a language for code samples from the tabs above or the mobile navigation menu.
The HTTP API for controlling and accessing ZAP.
Base URLs:
-
- address - The address ZAP is listening on. Default: 127.0.0.1
- port - The port ZAP is bound to. Default: 8080
Email: ZAP User Group Web: ZAP User Group License: Apache 2.0
undefined
accessControl
accessControlActionScan
Code samples
# You can also use wget
curl -X GET http://zap/JSON/accessControl/action/scan/?contextId=string&userId=string \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/accessControl/action/scan/?contextId=string&userId=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/accessControl/action/scan/', params={
'contextId': 'string', 'userId': 'string'
}, headers = headers)
print(r.json())
GET /JSON/accessControl/action/scan/
Starts an Access Control scan with the given context ID and user ID. (Optional parameters: user ID for Unauthenticated user, boolean identifying whether or not Alerts are raised, and the Risk level for the Alerts.) [This assumes the Access Control rules were previously established via ZAP gui and the necessary Context exported/imported.]
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
contextId | query | string | true | none |
userId | query | string | true | none |
scanAsUnAuthUser | query | string | false | none |
raiseAlert | query | string | false | none |
alertRiskLevel | query | string | false | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
accessControlActionWriteHTMLreport
Code samples
# You can also use wget
curl -X GET http://zap/JSON/accessControl/action/writeHTMLreport/?contextId=string&fileName=string \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/accessControl/action/writeHTMLreport/?contextId=string&fileName=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/accessControl/action/writeHTMLreport/', params={
'contextId': 'string', 'fileName': 'string'
}, headers = headers)
print(r.json())
GET /JSON/accessControl/action/writeHTMLreport/
Generates an Access Control report for the given context ID and saves it based on the provided filename (path).
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
contextId | query | string | true | none |
fileName | query | string | true | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
accessControlViewGetScanProgress
Code samples
# You can also use wget
curl -X GET http://zap/JSON/accessControl/view/getScanProgress/?contextId=string \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/accessControl/view/getScanProgress/?contextId=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/accessControl/view/getScanProgress/', params={
'contextId': 'string'
}, headers = headers)
print(r.json())
GET /JSON/accessControl/view/getScanProgress/
Gets the Access Control scan progress (percentage integer) for the given context ID.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
contextId | query | string | true | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
accessControlViewGetScanStatus
Code samples
# You can also use wget
curl -X GET http://zap/JSON/accessControl/view/getScanStatus/?contextId=string \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/accessControl/view/getScanStatus/?contextId=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/accessControl/view/getScanStatus/', params={
'contextId': 'string'
}, headers = headers)
print(r.json())
GET /JSON/accessControl/view/getScanStatus/
Gets the Access Control scan status (description string) for the given context ID.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
contextId | query | string | true | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
acsrf
acsrfActionAddOptionToken
Code samples
# You can also use wget
curl -X GET http://zap/JSON/acsrf/action/addOptionToken/?String=string \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/acsrf/action/addOptionToken/?String=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/acsrf/action/addOptionToken/', params={
'String': 'string'
}, headers = headers)
print(r.json())
GET /JSON/acsrf/action/addOptionToken/
Adds an anti-CSRF token with the given name, enabled by default
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
String | query | string | true | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
acsrfActionRemoveOptionToken
Code samples
# You can also use wget
curl -X GET http://zap/JSON/acsrf/action/removeOptionToken/?String=string \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/acsrf/action/removeOptionToken/?String=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/acsrf/action/removeOptionToken/', params={
'String': 'string'
}, headers = headers)
print(r.json())
GET /JSON/acsrf/action/removeOptionToken/
Removes the anti-CSRF token with the given name
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
String | query | string | true | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
acsrfActionSetOptionPartialMatchingEnabled
Code samples
# You can also use wget
curl -X GET http://zap/JSON/acsrf/action/setOptionPartialMatchingEnabled/?Boolean=true \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/acsrf/action/setOptionPartialMatchingEnabled/?Boolean=true");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/acsrf/action/setOptionPartialMatchingEnabled/', params={
'Boolean': 'true'
}, headers = headers)
print(r.json())
GET /JSON/acsrf/action/setOptionPartialMatchingEnabled/
Define if ZAP should detect CSRF tokens by searching for partial matches.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
Boolean | query | boolean | true | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
acsrfOtherGenForm
Code samples
# You can also use wget
curl -X GET http://zap/OTHER/acsrf/other/genForm/?hrefId=string \
-H 'Accept: */*'
URL obj = new URL("http://zap/OTHER/acsrf/other/genForm/?hrefId=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': '*/*'
}
r = requests.get('http://zap/OTHER/acsrf/other/genForm/', params={
'hrefId': 'string'
}, headers = headers)
print(r.content)
GET /OTHER/acsrf/other/genForm/
Generate a form for testing lack of anti-CSRF tokens - typically invoked via ZAP
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
hrefId | query | string | true | Define which request will be used |
actionUrl | query | string | false | Define the action URL to be used in the generated form |
Example responses
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of OTHER endpoints. | None |
Response Schema
acsrfViewOptionPartialMatchingEnabled
Code samples
# You can also use wget
curl -X GET http://zap/JSON/acsrf/view/optionPartialMatchingEnabled/ \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/acsrf/view/optionPartialMatchingEnabled/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/acsrf/view/optionPartialMatchingEnabled/', headers = headers)
print(r.json())
GET /JSON/acsrf/view/optionPartialMatchingEnabled/
Define if ZAP should detect CSRF tokens by searching for partial matches
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
acsrfViewOptionTokensNames
Code samples
# You can also use wget
curl -X GET http://zap/JSON/acsrf/view/optionTokensNames/ \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/acsrf/view/optionTokensNames/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/acsrf/view/optionTokensNames/', headers = headers)
print(r.json())
GET /JSON/acsrf/view/optionTokensNames/
Lists the names of all anti-CSRF tokens
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ajaxSpider
ajaxSpiderActionAddAllowedResource
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/action/addAllowedResource/?regex=string \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ajaxSpider/action/addAllowedResource/?regex=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ajaxSpider/action/addAllowedResource/', params={
'regex': 'string'
}, headers = headers)
print(r.json())
GET /JSON/ajaxSpider/action/addAllowedResource/
Adds an allowed resource.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
regex | query | string | true | The regular expression of the allowed resource. |
enabled | query | string | false | If the allowed resource should be enabled or not. |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ajaxSpiderActionAddExcludedElement
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/action/addExcludedElement/?contextName=string&description=string&element=string \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ajaxSpider/action/addExcludedElement/?contextName=string&description=string&element=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ajaxSpider/action/addExcludedElement/', params={
'contextName': 'string', 'description': 'string', 'element': 'string'
}, headers = headers)
print(r.json())
GET /JSON/ajaxSpider/action/addExcludedElement/
Adds an excluded element to a context.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
contextName | query | string | true | The name of the context. |
description | query | string | true | The description of the excluded element. |
element | query | string | true | The element to exclude. |
xpath | query | string | false | The XPath of the element. |
text | query | string | false | The text of the element. |
attributeName | query | string | false | The attribute name of the element. |
attributeValue | query | string | false | The attribute value of the element. |
enabled | query | string | false | The enabled state, true or false. |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ajaxSpiderActionModifyExcludedElement
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/action/modifyExcludedElement/?contextName=string&description=string&element=string \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ajaxSpider/action/modifyExcludedElement/?contextName=string&description=string&element=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ajaxSpider/action/modifyExcludedElement/', params={
'contextName': 'string', 'description': 'string', 'element': 'string'
}, headers = headers)
print(r.json())
GET /JSON/ajaxSpider/action/modifyExcludedElement/
Modifies an excluded element of a context.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
contextName | query | string | true | The name of the context. |
description | query | string | true | The description of the excluded element. |
element | query | string | true | The element to exclude. |
descriptionNew | query | string | false | The new description. |
xpath | query | string | false | The XPath of the element. |
text | query | string | false | The text of the element. |
attributeName | query | string | false | The attribute name of the element. |
attributeValue | query | string | false | The attribute value of the element. |
enabled | query | string | false | The enabled state, true or false. |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ajaxSpiderActionRemoveAllowedResource
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/action/removeAllowedResource/?regex=string \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ajaxSpider/action/removeAllowedResource/?regex=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ajaxSpider/action/removeAllowedResource/', params={
'regex': 'string'
}, headers = headers)
print(r.json())
GET /JSON/ajaxSpider/action/removeAllowedResource/
Removes an allowed resource.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
regex | query | string | true | The regular expression of the allowed resource. |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ajaxSpiderActionRemoveExcludedElement
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/action/removeExcludedElement/?contextName=string&description=string \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ajaxSpider/action/removeExcludedElement/?contextName=string&description=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ajaxSpider/action/removeExcludedElement/', params={
'contextName': 'string', 'description': 'string'
}, headers = headers)
print(r.json())
GET /JSON/ajaxSpider/action/removeExcludedElement/
Removes an excluded element from a context.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
contextName | query | string | true | The name of the context. |
description | query | string | true | The description of the excluded element. |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ajaxSpiderActionScan
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/action/scan/ \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ajaxSpider/action/scan/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ajaxSpider/action/scan/', headers = headers)
print(r.json())
GET /JSON/ajaxSpider/action/scan/
Runs the AJAX Spider against a given target.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
url | query | string | false | The starting URL (needs to include the 'scheme'). |
inScope | query | string | false | A boolean (true/false) indicating whether or not the scan should be restricted to 'inScope' only resources (default value is false). |
contextName | query | string | false | The name for any defined context. If the value does not match a defined context then an error will occur. |
subtreeOnly | query | string | false | A boolean (true/false) indicating whether or not the crawl should be constrained to a specific path (default value is false). |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ajaxSpiderActionScanAsUser
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/action/scanAsUser/?contextName=string&userName=string \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ajaxSpider/action/scanAsUser/?contextName=string&userName=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ajaxSpider/action/scanAsUser/', params={
'contextName': 'string', 'userName': 'string'
}, headers = headers)
print(r.json())
GET /JSON/ajaxSpider/action/scanAsUser/
Runs the AJAX Spider from the perspective of a User of the web application.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
contextName | query | string | true | The name for any defined context. If the value does not match a defined context then an error will occur. |
userName | query | string | true | The name of the user to be used when crawling. The "userName" should be previously defined on the context configuration. |
url | query | string | false | The starting URL (needs to include the 'scheme'). |
subtreeOnly | query | string | false | A boolean (true/false) indicating whether or not the crawl should be constrained to a specific path (default value is false). |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ajaxSpiderActionSetEnabledAllowedResource
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/action/setEnabledAllowedResource/?regex=string&enabled=string \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ajaxSpider/action/setEnabledAllowedResource/?regex=string&enabled=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ajaxSpider/action/setEnabledAllowedResource/', params={
'regex': 'string', 'enabled': 'string'
}, headers = headers)
print(r.json())
GET /JSON/ajaxSpider/action/setEnabledAllowedResource/
Sets whether or not an allowed resource is enabled.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
regex | query | string | true | The regular expression of the allowed resource. |
enabled | query | string | true | If the allowed resource should be enabled or not. |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ajaxSpiderActionSetOptionBrowserId
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/action/setOptionBrowserId/?String=string \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ajaxSpider/action/setOptionBrowserId/?String=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ajaxSpider/action/setOptionBrowserId/', params={
'String': 'string'
}, headers = headers)
print(r.json())
GET /JSON/ajaxSpider/action/setOptionBrowserId/
Sets the configuration of the AJAX Spider to use one of the supported browsers.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
String | query | string | true | The name of the browser to be used by the AJAX Spider. (See the Selenium add-on help for a list of supported browsers.) |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ajaxSpiderActionSetOptionClickDefaultElems
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/action/setOptionClickDefaultElems/?Boolean=true \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ajaxSpider/action/setOptionClickDefaultElems/?Boolean=true");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ajaxSpider/action/setOptionClickDefaultElems/', params={
'Boolean': 'true'
}, headers = headers)
print(r.json())
GET /JSON/ajaxSpider/action/setOptionClickDefaultElems/
Sets whether or not the the AJAX Spider will only click on the default HTML elements.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
Boolean | query | boolean | true | A boolean (true/false) indicating if only default elements such as 'a' 'button' 'input' should be clicked (default is true). |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ajaxSpiderActionSetOptionClickElemsOnce
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/action/setOptionClickElemsOnce/?Boolean=true \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ajaxSpider/action/setOptionClickElemsOnce/?Boolean=true");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ajaxSpider/action/setOptionClickElemsOnce/', params={
'Boolean': 'true'
}, headers = headers)
print(r.json())
GET /JSON/ajaxSpider/action/setOptionClickElemsOnce/
When enabled, the crawler attempts to interact with each element (e.g., by clicking) only once.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
Boolean | query | boolean | true | A boolean (true/false) indicating whether or not the AJAX Spider should only click on elements once. If this is set to false, the crawler will attempt to click multiple times; which is more rigorous but may take considerably more time (default is true). |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ajaxSpiderActionSetOptionEventWait
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/action/setOptionEventWait/?Integer=0 \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ajaxSpider/action/setOptionEventWait/?Integer=0");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ajaxSpider/action/setOptionEventWait/', params={
'Integer': '0'
}, headers = headers)
print(r.json())
GET /JSON/ajaxSpider/action/setOptionEventWait/
Sets the time to wait after an event (in milliseconds). For example: the wait delay after the cursor hovers over an element, in order for a menu to display, etc.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
Integer | query | integer | true | The time that the AJAX Spider should wait for each event (default is 1000 milliseconds). |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ajaxSpiderActionSetOptionMaxCrawlDepth
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/action/setOptionMaxCrawlDepth/?Integer=0 \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ajaxSpider/action/setOptionMaxCrawlDepth/?Integer=0");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ajaxSpider/action/setOptionMaxCrawlDepth/', params={
'Integer': '0'
}, headers = headers)
print(r.json())
GET /JSON/ajaxSpider/action/setOptionMaxCrawlDepth/
Sets the maximum depth that the crawler can reach.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
Integer | query | integer | true | The maximum depth that the crawler should explore (zero means unlimited depth, default is 10). |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ajaxSpiderActionSetOptionMaxCrawlStates
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/action/setOptionMaxCrawlStates/?Integer=0 \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ajaxSpider/action/setOptionMaxCrawlStates/?Integer=0");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ajaxSpider/action/setOptionMaxCrawlStates/', params={
'Integer': '0'
}, headers = headers)
print(r.json())
GET /JSON/ajaxSpider/action/setOptionMaxCrawlStates/
Sets the maximum number of states that the crawler should crawl.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
Integer | query | integer | true | The maximum number of states that the AJAX Spider should explore (zero means unlimited crawl states, default is 0) |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ajaxSpiderActionSetOptionMaxDuration
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/action/setOptionMaxDuration/?Integer=0 \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ajaxSpider/action/setOptionMaxDuration/?Integer=0");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ajaxSpider/action/setOptionMaxDuration/', params={
'Integer': '0'
}, headers = headers)
print(r.json())
GET /JSON/ajaxSpider/action/setOptionMaxDuration/
The maximum time that the crawler is allowed to run.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
Integer | query | integer | true | The maximum amount of time that the AJAX Spider is allowed to run (zero means unlimited running time, default is 60 minutes). |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ajaxSpiderActionSetOptionNumberOfBrowsers
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/action/setOptionNumberOfBrowsers/?Integer=0 \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ajaxSpider/action/setOptionNumberOfBrowsers/?Integer=0");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ajaxSpider/action/setOptionNumberOfBrowsers/', params={
'Integer': '0'
}, headers = headers)
print(r.json())
GET /JSON/ajaxSpider/action/setOptionNumberOfBrowsers/
Sets the number of windows to be used by AJAX Spider.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
Integer | query | integer | true | The number of windows that the AJAX Spider can use. The more windows, the faster the process will be. However, more windows also means greater resource usage (CPU, Memory, etc), and could lead to concurrency issues depending on the app being explored (default is 1). |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ajaxSpiderActionSetOptionRandomInputs
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/action/setOptionRandomInputs/?Boolean=true \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ajaxSpider/action/setOptionRandomInputs/?Boolean=true");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ajaxSpider/action/setOptionRandomInputs/', params={
'Boolean': 'true'
}, headers = headers)
print(r.json())
GET /JSON/ajaxSpider/action/setOptionRandomInputs/
When enabled, inserts random values into form fields.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
Boolean | query | boolean | true | A boolean (true/false) indicating whether or not random values should be use in form fields. Otherwise, empty values are submitted (default is true). |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ajaxSpiderActionSetOptionReloadWait
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/action/setOptionReloadWait/?Integer=0 \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ajaxSpider/action/setOptionReloadWait/?Integer=0");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ajaxSpider/action/setOptionReloadWait/', params={
'Integer': '0'
}, headers = headers)
print(r.json())
GET /JSON/ajaxSpider/action/setOptionReloadWait/
Sets the time to wait after the page is loaded before interacting with it.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
Integer | query | integer | true | The number of milliseconds the AJAX Spider should wait after a page is loaded (default is 1000). |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ajaxSpiderActionStop
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/action/stop/ \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ajaxSpider/action/stop/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ajaxSpider/action/stop/', headers = headers)
print(r.json())
GET /JSON/ajaxSpider/action/stop/
Stops the AJAX Spider.
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ajaxSpiderViewAllowedResources
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/view/allowedResources/ \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ajaxSpider/view/allowedResources/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ajaxSpider/view/allowedResources/', headers = headers)
print(r.json())
GET /JSON/ajaxSpider/view/allowedResources/
Gets the allowed resources. The allowed resources are always fetched even if out of scope, allowing to include necessary resources (e.g. scripts) from 3rd-parties.
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ajaxSpiderViewExcludedElements
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/view/excludedElements/?contextName=string \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ajaxSpider/view/excludedElements/?contextName=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ajaxSpider/view/excludedElements/', params={
'contextName': 'string'
}, headers = headers)
print(r.json())
GET /JSON/ajaxSpider/view/excludedElements/
Gets the excluded elements. The excluded elements are not clicked during crawling, for example, to prevent logging out.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
contextName | query | string | true | The name of the context. |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ajaxSpiderViewFullResults
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/view/fullResults/ \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ajaxSpider/view/fullResults/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ajaxSpider/view/fullResults/', headers = headers)
print(r.json())
GET /JSON/ajaxSpider/view/fullResults/
Gets the full crawled content detected by the AJAX Spider. Returns a set of values based on 'inScope' URLs, 'outOfScope' URLs, and 'errors' encountered during the last/current run of the AJAX Spider.
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ajaxSpiderViewNumberOfResults
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/view/numberOfResults/ \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ajaxSpider/view/numberOfResults/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ajaxSpider/view/numberOfResults/', headers = headers)
print(r.json())
GET /JSON/ajaxSpider/view/numberOfResults/
Gets the number of resources found.
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ajaxSpiderViewOptionBrowserId
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/view/optionBrowserId/ \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ajaxSpider/view/optionBrowserId/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ajaxSpider/view/optionBrowserId/', headers = headers)
print(r.json())
GET /JSON/ajaxSpider/view/optionBrowserId/
Gets the configured browser to use for crawling.
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ajaxSpiderViewOptionClickDefaultElems
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/view/optionClickDefaultElems/ \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ajaxSpider/view/optionClickDefaultElems/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ajaxSpider/view/optionClickDefaultElems/', headers = headers)
print(r.json())
GET /JSON/ajaxSpider/view/optionClickDefaultElems/
Gets the configured value for 'Click Default Elements Only', HTML elements such as 'a', 'button', 'input', all associated with some action or links on the page.
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ajaxSpiderViewOptionClickElemsOnce
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/view/optionClickElemsOnce/ \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ajaxSpider/view/optionClickElemsOnce/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ajaxSpider/view/optionClickElemsOnce/', headers = headers)
print(r.json())
GET /JSON/ajaxSpider/view/optionClickElemsOnce/
Gets the value configured for the AJAX Spider to know if it should click on the elements only once.
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ajaxSpiderViewOptionEventWait
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/view/optionEventWait/ \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ajaxSpider/view/optionEventWait/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ajaxSpider/view/optionEventWait/', headers = headers)
print(r.json())
GET /JSON/ajaxSpider/view/optionEventWait/
Gets the time to wait after an event (in milliseconds). For example: the wait delay after the cursor hovers over an element, in order for a menu to display, etc.
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ajaxSpiderViewOptionMaxCrawlDepth
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/view/optionMaxCrawlDepth/ \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ajaxSpider/view/optionMaxCrawlDepth/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ajaxSpider/view/optionMaxCrawlDepth/', headers = headers)
print(r.json())
GET /JSON/ajaxSpider/view/optionMaxCrawlDepth/
Gets the configured value for the max crawl depth.
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ajaxSpiderViewOptionMaxCrawlStates
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/view/optionMaxCrawlStates/ \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ajaxSpider/view/optionMaxCrawlStates/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ajaxSpider/view/optionMaxCrawlStates/', headers = headers)
print(r.json())
GET /JSON/ajaxSpider/view/optionMaxCrawlStates/
Gets the configured value for the maximum crawl states allowed.
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ajaxSpiderViewOptionMaxDuration
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/view/optionMaxDuration/ \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ajaxSpider/view/optionMaxDuration/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ajaxSpider/view/optionMaxDuration/', headers = headers)
print(r.json())
GET /JSON/ajaxSpider/view/optionMaxDuration/
Gets the configured max duration of the crawl, the value is in minutes.
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ajaxSpiderViewOptionNumberOfBrowsers
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/view/optionNumberOfBrowsers/ \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ajaxSpider/view/optionNumberOfBrowsers/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ajaxSpider/view/optionNumberOfBrowsers/', headers = headers)
print(r.json())
GET /JSON/ajaxSpider/view/optionNumberOfBrowsers/
Gets the configured number of browsers to be used.
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ajaxSpiderViewOptionRandomInputs
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/view/optionRandomInputs/ \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ajaxSpider/view/optionRandomInputs/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ajaxSpider/view/optionRandomInputs/', headers = headers)
print(r.json())
GET /JSON/ajaxSpider/view/optionRandomInputs/
Gets if the AJAX Spider will use random values in form fields when crawling, if set to true.
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ajaxSpiderViewOptionReloadWait
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/view/optionReloadWait/ \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ajaxSpider/view/optionReloadWait/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ajaxSpider/view/optionReloadWait/', headers = headers)
print(r.json())
GET /JSON/ajaxSpider/view/optionReloadWait/
Gets the configured time to wait after reloading the page, this value is in milliseconds.
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ajaxSpiderViewResults
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/view/results/ \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ajaxSpider/view/results/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ajaxSpider/view/results/', headers = headers)
print(r.json())
GET /JSON/ajaxSpider/view/results/
Gets the current results of the crawler.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
start | query | string | false | The position (or offset) within the results to use as a starting position for the information returned. |
count | query | string | false | The number of results to return. |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ajaxSpiderViewStatus
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ajaxSpider/view/status/ \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ajaxSpider/view/status/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ajaxSpider/view/status/', headers = headers)
print(r.json())
GET /JSON/ajaxSpider/view/status/
Gets the current status of the crawler. Actual values are Stopped and Running.
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
alert
alertActionAddAlert
Code samples
# You can also use wget
curl -X GET http://zap/JSON/alert/action/addAlert/?messageId=string&name=string&riskId=string&confidenceId=string&description=string \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/alert/action/addAlert/?messageId=string&name=string&riskId=string&confidenceId=string&description=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/alert/action/addAlert/', params={
'messageId': 'string', 'name': 'string', 'riskId': 'string', 'confidenceId': 'string', 'description': 'string'
}, headers = headers)
print(r.json())
GET /JSON/alert/action/addAlert/
Add an alert associated with the given message ID, with the provided details. (The ID of the created alert is returned.)
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
messageId | query | string | true | The ID of the message to which the alert should be associated. |
name | query | string | true | The name of the alert. |
riskId | query | string | true | The numeric risk representation ('0 - Informational' through '3 - High'). |
confidenceId | query | string | true | The numeric confidence representation ('1 - Low' through '3 - High' [user set values '0 - False Positive', and '4 - User Confirmed' are also available]). |
description | query | string | true | The description to be set to the alert. |
param | query | string | false | The name of the parameter applicable to the alert. |
attack | query | string | false | The attack (ex: injected string) used by the scan rule. |
otherInfo | query | string | false | Other information about the alert or test. |
solution | query | string | false | The solution for the alert. |
references | query | string | false | The reference details for the alert. |
evidence | query | string | false | The evidence associated with the alert. |
cweId | query | string | false | The CWE identifier associated with the alert. |
wascId | query | string | false | The WASC identifier associated with the alert. |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
alertActionDeleteAlert
Code samples
# You can also use wget
curl -X GET http://zap/JSON/alert/action/deleteAlert/?id=string \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/alert/action/deleteAlert/?id=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/alert/action/deleteAlert/', params={
'id': 'string'
}, headers = headers)
print(r.json())
GET /JSON/alert/action/deleteAlert/
Deletes the alert with the given ID.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
id | query | string | true | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
alertActionDeleteAlerts
Code samples
# You can also use wget
curl -X GET http://zap/JSON/alert/action/deleteAlerts/ \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/alert/action/deleteAlerts/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/alert/action/deleteAlerts/', headers = headers)
print(r.json())
GET /JSON/alert/action/deleteAlerts/
Deletes all the alerts optionally filtered by URL which fall within the Context with the provided name, risk, or base URL.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
contextName | query | string | false | The name of the Context for which the alerts should be deleted. |
baseurl | query | string | false | The highest URL in the Sites tree under which alerts should be deleted. |
riskId | query | string | false | The numeric risk representation ('0 - Informational' through '3 - High'). |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
alertActionDeleteAllAlerts
Code samples
# You can also use wget
curl -X GET http://zap/JSON/alert/action/deleteAllAlerts/ \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/alert/action/deleteAllAlerts/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/alert/action/deleteAllAlerts/', headers = headers)
print(r.json())
GET /JSON/alert/action/deleteAllAlerts/
Deletes all alerts of the current session.
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
alertActionUpdateAlert
Code samples
# You can also use wget
curl -X GET http://zap/JSON/alert/action/updateAlert/?id=string&name=string&riskId=string&confidenceId=string&description=string \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/alert/action/updateAlert/?id=string&name=string&riskId=string&confidenceId=string&description=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/alert/action/updateAlert/', params={
'id': 'string', 'name': 'string', 'riskId': 'string', 'confidenceId': 'string', 'description': 'string'
}, headers = headers)
print(r.json())
GET /JSON/alert/action/updateAlert/
Update the alert with the given ID, with the provided details.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
id | query | string | true | The ID of the alert to update. |
name | query | string | true | The name of the alert. |
riskId | query | string | true | The numeric risk representation ('0 - Informational' through '3 - High'). |
confidenceId | query | string | true | The numeric confidence representation ('1 - Low' through '3 - High' [user set values '0 - False Positive', and '4 - User Confirmed' are also available]). |
description | query | string | true | The description to be set to the alert. |
param | query | string | false | The name of the parameter applicable to the alert. |
attack | query | string | false | The attack (ex: injected string) used by the scan rule. |
otherInfo | query | string | false | Other information about the alert or test. |
solution | query | string | false | The solution for the alert. |
references | query | string | false | The reference details for the alert. |
evidence | query | string | false | The evidence associated with the alert. |
cweId | query | string | false | The CWE identifier associated with the alert. |
wascId | query | string | false | The WASC identifier associated with the alert. |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
alertActionUpdateAlertsConfidence
Code samples
# You can also use wget
curl -X GET http://zap/JSON/alert/action/updateAlertsConfidence/?ids=string&confidenceId=string \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/alert/action/updateAlertsConfidence/?ids=string&confidenceId=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/alert/action/updateAlertsConfidence/', params={
'ids': 'string', 'confidenceId': 'string'
}, headers = headers)
print(r.json())
GET /JSON/alert/action/updateAlertsConfidence/
Update the confidence of the alerts.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
ids | query | string | true | The IDs of the alerts to update (comma separated values). |
confidenceId | query | string | true | The numeric confidence representation ('1 - Low' through '3 - High' [user set values '0 - False Positive', and '4 - User Confirmed' are also available]). |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
alertActionUpdateAlertsRisk
Code samples
# You can also use wget
curl -X GET http://zap/JSON/alert/action/updateAlertsRisk/?ids=string&riskId=string \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/alert/action/updateAlertsRisk/?ids=string&riskId=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/alert/action/updateAlertsRisk/', params={
'ids': 'string', 'riskId': 'string'
}, headers = headers)
print(r.json())
GET /JSON/alert/action/updateAlertsRisk/
Update the risk of the alerts.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
ids | query | string | true | The IDs of the alerts to update (comma separated values). |
riskId | query | string | true | The numeric risk representation ('0 - Informational' through '3 - High'). |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
alertViewAlert
Code samples
# You can also use wget
curl -X GET http://zap/JSON/alert/view/alert/?id=string \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/alert/view/alert/?id=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/alert/view/alert/', params={
'id': 'string'
}, headers = headers)
print(r.json())
GET /JSON/alert/view/alert/
Gets the alert with the given ID, the corresponding HTTP message can be obtained with the 'messageId' field and 'message' API method
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
id | query | string | true | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
alertViewAlertCountsByRisk
Code samples
# You can also use wget
curl -X GET http://zap/JSON/alert/view/alertCountsByRisk/ \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/alert/view/alertCountsByRisk/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/alert/view/alertCountsByRisk/', headers = headers)
print(r.json())
GET /JSON/alert/view/alertCountsByRisk/
Gets a count of the alerts, optionally filtered as per alertsPerRisk
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
url | query | string | false | none |
recurse | query | string | false | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
alertViewAlerts
Code samples
# You can also use wget
curl -X GET http://zap/JSON/alert/view/alerts/ \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/alert/view/alerts/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/alert/view/alerts/', headers = headers)
print(r.json())
GET /JSON/alert/view/alerts/
Gets the alerts raised by ZAP, optionally filtering by URL or riskId, and paginating with 'start' position and 'count' of alerts
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
baseurl | query | string | false | The highest URL in the Sites tree under which alerts should be included. |
start | query | string | false | none |
count | query | string | false | none |
riskId | query | string | false | none |
contextName | query | string | false | Optionally, the Context name which the Alerts' URLs are associated with. |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
alertViewAlertsByRisk
Code samples
# You can also use wget
curl -X GET http://zap/JSON/alert/view/alertsByRisk/ \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/alert/view/alertsByRisk/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/alert/view/alertsByRisk/', headers = headers)
print(r.json())
GET /JSON/alert/view/alertsByRisk/
Gets a summary of the alerts, optionally filtered by a 'url'. If 'recurse' is true then all alerts that apply to urls that start with the specified 'url' will be returned, otherwise only those on exactly the same 'url' (ignoring url parameters)
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
url | query | string | false | none |
recurse | query | string | false | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
alertViewAlertsSummary
Code samples
# You can also use wget
curl -X GET http://zap/JSON/alert/view/alertsSummary/ \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/alert/view/alertsSummary/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/alert/view/alertsSummary/', headers = headers)
print(r.json())
GET /JSON/alert/view/alertsSummary/
Gets number of alerts grouped by each risk level, optionally filtering by URL
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
baseurl | query | string | false | The highest URL in the Sites tree under which alerts should be included. |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
alertViewNumberOfAlerts
Code samples
# You can also use wget
curl -X GET http://zap/JSON/alert/view/numberOfAlerts/ \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/alert/view/numberOfAlerts/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/alert/view/numberOfAlerts/', headers = headers)
print(r.json())
GET /JSON/alert/view/numberOfAlerts/
Gets the number of alerts, optionally filtering by URL or riskId
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
baseurl | query | string | false | The highest URL in the Sites tree under which alerts should be included. |
riskId | query | string | false | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
alertFilter
alertFilterActionAddAlertFilter
Code samples
# You can also use wget
curl -X GET http://zap/JSON/alertFilter/action/addAlertFilter/?contextId=string&ruleId=string&newLevel=string \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/alertFilter/action/addAlertFilter/?contextId=string&ruleId=string&newLevel=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/alertFilter/action/addAlertFilter/', params={
'contextId': 'string', 'ruleId': 'string', 'newLevel': 'string'
}, headers = headers)
print(r.json())
GET /JSON/alertFilter/action/addAlertFilter/
Adds a new alert filter for the context with the given ID.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
contextId | query | string | true | none |
ruleId | query | string | true | none |
newLevel | query | string | true | none |
url | query | string | false | none |
urlIsRegex | query | string | false | none |
parameter | query | string | false | none |
enabled | query | string | false | none |
parameterIsRegex | query | string | false | none |
attack | query | string | false | none |
attackIsRegex | query | string | false | none |
evidence | query | string | false | none |
evidenceIsRegex | query | string | false | none |
methods | query | string | false | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
alertFilterActionAddGlobalAlertFilter
Code samples
# You can also use wget
curl -X GET http://zap/JSON/alertFilter/action/addGlobalAlertFilter/?ruleId=string&newLevel=string \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/alertFilter/action/addGlobalAlertFilter/?ruleId=string&newLevel=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/alertFilter/action/addGlobalAlertFilter/', params={
'ruleId': 'string', 'newLevel': 'string'
}, headers = headers)
print(r.json())
GET /JSON/alertFilter/action/addGlobalAlertFilter/
Adds a new global alert filter.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
ruleId | query | string | true | none |
newLevel | query | string | true | none |
url | query | string | false | none |
urlIsRegex | query | string | false | none |
parameter | query | string | false | none |
enabled | query | string | false | none |
parameterIsRegex | query | string | false | none |
attack | query | string | false | none |
attackIsRegex | query | string | false | none |
evidence | query | string | false | none |
evidenceIsRegex | query | string | false | none |
methods | query | string | false | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
alertFilterActionApplyAll
Code samples
# You can also use wget
curl -X GET http://zap/JSON/alertFilter/action/applyAll/ \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/alertFilter/action/applyAll/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/alertFilter/action/applyAll/', headers = headers)
print(r.json())
GET /JSON/alertFilter/action/applyAll/
Applies all currently enabled Global and Context alert filters.
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
alertFilterActionApplyContext
Code samples
# You can also use wget
curl -X GET http://zap/JSON/alertFilter/action/applyContext/ \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/alertFilter/action/applyContext/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/alertFilter/action/applyContext/', headers = headers)
print(r.json())
GET /JSON/alertFilter/action/applyContext/
Applies all currently enabled Context alert filters.
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
alertFilterActionApplyGlobal
Code samples
# You can also use wget
curl -X GET http://zap/JSON/alertFilter/action/applyGlobal/ \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/alertFilter/action/applyGlobal/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/alertFilter/action/applyGlobal/', headers = headers)
print(r.json())
GET /JSON/alertFilter/action/applyGlobal/
Applies all currently enabled Global alert filters.
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
alertFilterActionRemoveAlertFilter
Code samples
# You can also use wget
curl -X GET http://zap/JSON/alertFilter/action/removeAlertFilter/?contextId=string&ruleId=string&newLevel=string \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/alertFilter/action/removeAlertFilter/?contextId=string&ruleId=string&newLevel=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/alertFilter/action/removeAlertFilter/', params={
'contextId': 'string', 'ruleId': 'string', 'newLevel': 'string'
}, headers = headers)
print(r.json())
GET /JSON/alertFilter/action/removeAlertFilter/
Removes an alert filter from the context with the given ID.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
contextId | query | string | true | none |
ruleId | query | string | true | none |
newLevel | query | string | true | none |
url | query | string | false | none |
urlIsRegex | query | string | false | none |
parameter | query | string | false | none |
enabled | query | string | false | none |
parameterIsRegex | query | string | false | none |
attack | query | string | false | none |
attackIsRegex | query | string | false | none |
evidence | query | string | false | none |
evidenceIsRegex | query | string | false | none |
methods | query | string | false | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
alertFilterActionRemoveGlobalAlertFilter
Code samples
# You can also use wget
curl -X GET http://zap/JSON/alertFilter/action/removeGlobalAlertFilter/?ruleId=string&newLevel=string \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/alertFilter/action/removeGlobalAlertFilter/?ruleId=string&newLevel=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/alertFilter/action/removeGlobalAlertFilter/', params={
'ruleId': 'string', 'newLevel': 'string'
}, headers = headers)
print(r.json())
GET /JSON/alertFilter/action/removeGlobalAlertFilter/
Removes a global alert filter.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
ruleId | query | string | true | none |
newLevel | query | string | true | none |
url | query | string | false | none |
urlIsRegex | query | string | false | none |
parameter | query | string | false | none |
enabled | query | string | false | none |
parameterIsRegex | query | string | false | none |
attack | query | string | false | none |
attackIsRegex | query | string | false | none |
evidence | query | string | false | none |
evidenceIsRegex | query | string | false | none |
methods | query | string | false | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
alertFilterActionTestAll
Code samples
# You can also use wget
curl -X GET http://zap/JSON/alertFilter/action/testAll/ \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/alertFilter/action/testAll/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/alertFilter/action/testAll/', headers = headers)
print(r.json())
GET /JSON/alertFilter/action/testAll/
Tests all currently enabled Global and Context alert filters.
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
alertFilterActionTestContext
Code samples
# You can also use wget
curl -X GET http://zap/JSON/alertFilter/action/testContext/ \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/alertFilter/action/testContext/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/alertFilter/action/testContext/', headers = headers)
print(r.json())
GET /JSON/alertFilter/action/testContext/
Tests all currently enabled Context alert filters.
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
alertFilterActionTestGlobal
Code samples
# You can also use wget
curl -X GET http://zap/JSON/alertFilter/action/testGlobal/ \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/alertFilter/action/testGlobal/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/alertFilter/action/testGlobal/', headers = headers)
print(r.json())
GET /JSON/alertFilter/action/testGlobal/
Tests all currently enabled Global alert filters.
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
alertFilterViewAlertFilterList
Code samples
# You can also use wget
curl -X GET http://zap/JSON/alertFilter/view/alertFilterList/?contextId=string \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/alertFilter/view/alertFilterList/?contextId=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/alertFilter/view/alertFilterList/', params={
'contextId': 'string'
}, headers = headers)
print(r.json())
GET /JSON/alertFilter/view/alertFilterList/
Lists the alert filters of the context with the given ID.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
contextId | query | string | true | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
alertFilterViewGlobalAlertFilterList
Code samples
# You can also use wget
curl -X GET http://zap/JSON/alertFilter/view/globalAlertFilterList/ \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/alertFilter/view/globalAlertFilterList/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/alertFilter/view/globalAlertFilterList/', headers = headers)
print(r.json())
GET /JSON/alertFilter/view/globalAlertFilterList/
Lists the global alert filters.
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ascan
ascanActionAddExcludedParam
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ascan/action/addExcludedParam/?name=string \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ascan/action/addExcludedParam/?name=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ascan/action/addExcludedParam/', params={
'name': 'string'
}, headers = headers)
print(r.json())
GET /JSON/ascan/action/addExcludedParam/
Adds a new parameter excluded from the scan, using the specified name. Optionally sets if the new entry applies to a specific URL (default, all URLs) and sets the ID of the type of the parameter (default, ID of any type). The type IDs can be obtained with the view excludedParamTypes.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
name | query | string | true | none |
type | query | string | false | none |
url | query | string | false | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ascanActionAddScanPolicy
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ascan/action/addScanPolicy/?scanPolicyName=string \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ascan/action/addScanPolicy/?scanPolicyName=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ascan/action/addScanPolicy/', params={
'scanPolicyName': 'string'
}, headers = headers)
print(r.json())
GET /JSON/ascan/action/addScanPolicy/
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
scanPolicyName | query | string | true | none |
alertThreshold | query | string | false | none |
attackStrength | query | string | false | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ascanActionClearExcludedFromScan
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ascan/action/clearExcludedFromScan/ \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ascan/action/clearExcludedFromScan/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ascan/action/clearExcludedFromScan/', headers = headers)
print(r.json())
GET /JSON/ascan/action/clearExcludedFromScan/
Clears the regexes of URLs excluded from the active scans.
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ascanActionDisableAllScanners
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ascan/action/disableAllScanners/ \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ascan/action/disableAllScanners/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ascan/action/disableAllScanners/', headers = headers)
print(r.json())
GET /JSON/ascan/action/disableAllScanners/
Disables all scan rules of the scan policy with the given name, or the default if none given.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
scanPolicyName | query | string | false | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ascanActionDisableScanners
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ascan/action/disableScanners/?ids=string \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ascan/action/disableScanners/?ids=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ascan/action/disableScanners/', params={
'ids': 'string'
}, headers = headers)
print(r.json())
GET /JSON/ascan/action/disableScanners/
Disables the scan rules with the given IDs (comma separated list of IDs) of the scan policy with the given name, or the default if none given.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
ids | query | string | true | none |
scanPolicyName | query | string | false | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ascanActionEnableAllScanners
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ascan/action/enableAllScanners/ \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ascan/action/enableAllScanners/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ascan/action/enableAllScanners/', headers = headers)
print(r.json())
GET /JSON/ascan/action/enableAllScanners/
Enables all scan rules of the scan policy with the given name, or the default if none given.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
scanPolicyName | query | string | false | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ascanActionEnableScanners
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ascan/action/enableScanners/?ids=string \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ascan/action/enableScanners/?ids=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ascan/action/enableScanners/', params={
'ids': 'string'
}, headers = headers)
print(r.json())
GET /JSON/ascan/action/enableScanners/
Enables the scan rules with the given IDs (comma separated list of IDs) of the scan policy with the given name, or the default if none given.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
ids | query | string | true | none |
scanPolicyName | query | string | false | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ascanActionExcludeFromScan
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ascan/action/excludeFromScan/?regex=string \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ascan/action/excludeFromScan/?regex=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ascan/action/excludeFromScan/', params={
'regex': 'string'
}, headers = headers)
print(r.json())
GET /JSON/ascan/action/excludeFromScan/
Adds a regex of URLs that should be excluded from the active scans.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
regex | query | string | true | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ascanActionImportScanPolicy
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ascan/action/importScanPolicy/?path=string \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ascan/action/importScanPolicy/?path=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ascan/action/importScanPolicy/', params={
'path': 'string'
}, headers = headers)
print(r.json())
GET /JSON/ascan/action/importScanPolicy/
Imports a Scan Policy using the given file system path.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
path | query | string | true | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ascanActionModifyExcludedParam
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ascan/action/modifyExcludedParam/?idx=string \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ascan/action/modifyExcludedParam/?idx=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ascan/action/modifyExcludedParam/', params={
'idx': 'string'
}, headers = headers)
print(r.json())
GET /JSON/ascan/action/modifyExcludedParam/
Modifies a parameter excluded from the scan. Allows to modify the name, the URL and the type of parameter. The parameter is selected with its index, which can be obtained with the view excludedParams.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
idx | query | string | true | none |
name | query | string | false | none |
type | query | string | false | none |
url | query | string | false | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ascanActionPause
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ascan/action/pause/?scanId=string \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ascan/action/pause/?scanId=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ascan/action/pause/', params={
'scanId': 'string'
}, headers = headers)
print(r.json())
GET /JSON/ascan/action/pause/
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
scanId | query | string | true | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ascanActionPauseAllScans
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ascan/action/pauseAllScans/ \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ascan/action/pauseAllScans/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ascan/action/pauseAllScans/', headers = headers)
print(r.json())
GET /JSON/ascan/action/pauseAllScans/
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ascanActionRemoveAllScans
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ascan/action/removeAllScans/ \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ascan/action/removeAllScans/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ascan/action/removeAllScans/', headers = headers)
print(r.json())
GET /JSON/ascan/action/removeAllScans/
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ascanActionRemoveExcludedParam
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ascan/action/removeExcludedParam/?idx=string \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ascan/action/removeExcludedParam/?idx=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ascan/action/removeExcludedParam/', params={
'idx': 'string'
}, headers = headers)
print(r.json())
GET /JSON/ascan/action/removeExcludedParam/
Removes a parameter excluded from the scan, with the given index. The index can be obtained with the view excludedParams.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
idx | query | string | true | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ascanActionRemoveScan
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ascan/action/removeScan/?scanId=string \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ascan/action/removeScan/?scanId=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ascan/action/removeScan/', params={
'scanId': 'string'
}, headers = headers)
print(r.json())
GET /JSON/ascan/action/removeScan/
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
scanId | query | string | true | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ascanActionRemoveScanPolicy
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ascan/action/removeScanPolicy/?scanPolicyName=string \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ascan/action/removeScanPolicy/?scanPolicyName=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ascan/action/removeScanPolicy/', params={
'scanPolicyName': 'string'
}, headers = headers)
print(r.json())
GET /JSON/ascan/action/removeScanPolicy/
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
scanPolicyName | query | string | true | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ascanActionResume
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ascan/action/resume/?scanId=string \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ascan/action/resume/?scanId=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ascan/action/resume/', params={
'scanId': 'string'
}, headers = headers)
print(r.json())
GET /JSON/ascan/action/resume/
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
scanId | query | string | true | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ascanActionResumeAllScans
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ascan/action/resumeAllScans/ \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ascan/action/resumeAllScans/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ascan/action/resumeAllScans/', headers = headers)
print(r.json())
GET /JSON/ascan/action/resumeAllScans/
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ascanActionScan
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ascan/action/scan/ \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ascan/action/scan/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ascan/action/scan/', headers = headers)
print(r.json())
GET /JSON/ascan/action/scan/
Runs the active scanner against the given URL or Context. Optionally, the 'recurse' parameter can be used to scan URLs under the given URL, the parameter 'inScopeOnly' can be used to constrain the scan to URLs that are in scope (ignored if a Context is specified), the parameter 'scanPolicyName' allows to specify the scan policy (if none is given it uses the default scan policy), the parameters 'method' and 'postData' allow to select a given request in conjunction with the given URL.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
url | query | string | false | none |
recurse | query | string | false | none |
inScopeOnly | query | string | false | none |
scanPolicyName | query | string | false | none |
method | query | string | false | none |
postData | query | string | false | none |
contextId | query | string | false | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ascanActionScanAsUser
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ascan/action/scanAsUser/ \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ascan/action/scanAsUser/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ascan/action/scanAsUser/', headers = headers)
print(r.json())
GET /JSON/ascan/action/scanAsUser/
Active Scans from the perspective of a User, obtained using the given Context ID and User ID. See 'scan' action for more details.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
url | query | string | false | none |
contextId | query | string | false | none |
userId | query | string | false | none |
recurse | query | string | false | none |
scanPolicyName | query | string | false | none |
method | query | string | false | none |
postData | query | string | false | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ascanActionSetEnabledPolicies
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setEnabledPolicies/?ids=string \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ascan/action/setEnabledPolicies/?ids=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ascan/action/setEnabledPolicies/', params={
'ids': 'string'
}, headers = headers)
print(r.json())
GET /JSON/ascan/action/setEnabledPolicies/
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
ids | query | string | true | none |
scanPolicyName | query | string | false | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ascanActionSetOptionAddQueryParam
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setOptionAddQueryParam/?Boolean=true \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ascan/action/setOptionAddQueryParam/?Boolean=true");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ascan/action/setOptionAddQueryParam/', params={
'Boolean': 'true'
}, headers = headers)
print(r.json())
GET /JSON/ascan/action/setOptionAddQueryParam/
Sets whether or not the active scanner should add a query param to GET requests which do not have parameters to start with.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
Boolean | query | boolean | true | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ascanActionSetOptionAllowAttackOnStart
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setOptionAllowAttackOnStart/?Boolean=true \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ascan/action/setOptionAllowAttackOnStart/?Boolean=true");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ascan/action/setOptionAllowAttackOnStart/', params={
'Boolean': 'true'
}, headers = headers)
print(r.json())
GET /JSON/ascan/action/setOptionAllowAttackOnStart/
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
Boolean | query | boolean | true | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ascanActionSetOptionAttackPolicy
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setOptionAttackPolicy/?String=string \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ascan/action/setOptionAttackPolicy/?String=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ascan/action/setOptionAttackPolicy/', params={
'String': 'string'
}, headers = headers)
print(r.json())
GET /JSON/ascan/action/setOptionAttackPolicy/
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
String | query | string | true | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ascanActionSetOptionDefaultPolicy
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setOptionDefaultPolicy/?String=string \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ascan/action/setOptionDefaultPolicy/?String=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ascan/action/setOptionDefaultPolicy/', params={
'String': 'string'
}, headers = headers)
print(r.json())
GET /JSON/ascan/action/setOptionDefaultPolicy/
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
String | query | string | true | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ascanActionSetOptionDelayInMs
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setOptionDelayInMs/?Integer=0 \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ascan/action/setOptionDelayInMs/?Integer=0");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ascan/action/setOptionDelayInMs/', params={
'Integer': '0'
}, headers = headers)
print(r.json())
GET /JSON/ascan/action/setOptionDelayInMs/
This option has been superseded. Use the API rate limit endpoints in the 'network' component instead.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
Integer | query | integer | true | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ascanActionSetOptionHandleAntiCSRFTokens
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setOptionHandleAntiCSRFTokens/?Boolean=true \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ascan/action/setOptionHandleAntiCSRFTokens/?Boolean=true");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ascan/action/setOptionHandleAntiCSRFTokens/', params={
'Boolean': 'true'
}, headers = headers)
print(r.json())
GET /JSON/ascan/action/setOptionHandleAntiCSRFTokens/
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
Boolean | query | boolean | true | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ascanActionSetOptionHostPerScan
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setOptionHostPerScan/?Integer=0 \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ascan/action/setOptionHostPerScan/?Integer=0");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ascan/action/setOptionHostPerScan/', params={
'Integer': '0'
}, headers = headers)
print(r.json())
GET /JSON/ascan/action/setOptionHostPerScan/
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
Integer | query | integer | true | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ascanActionSetOptionInjectPluginIdInHeader
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setOptionInjectPluginIdInHeader/?Boolean=true \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ascan/action/setOptionInjectPluginIdInHeader/?Boolean=true");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ascan/action/setOptionInjectPluginIdInHeader/', params={
'Boolean': 'true'
}, headers = headers)
print(r.json())
GET /JSON/ascan/action/setOptionInjectPluginIdInHeader/
Sets whether or not the active scanner should inject the HTTP request header X-ZAP-Scan-ID, with the ID of the scan rule that's sending the requests.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
Boolean | query | boolean | true | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ascanActionSetOptionMaxAlertsPerRule
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setOptionMaxAlertsPerRule/?Integer=0 \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ascan/action/setOptionMaxAlertsPerRule/?Integer=0");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ascan/action/setOptionMaxAlertsPerRule/', params={
'Integer': '0'
}, headers = headers)
print(r.json())
GET /JSON/ascan/action/setOptionMaxAlertsPerRule/
Sets the maximum number of alerts that a rule can raise before being skipped.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
Integer | query | integer | true | The maximum alerts. |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ascanActionSetOptionMaxChartTimeInMins
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setOptionMaxChartTimeInMins/?Integer=0 \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ascan/action/setOptionMaxChartTimeInMins/?Integer=0");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ascan/action/setOptionMaxChartTimeInMins/', params={
'Integer': '0'
}, headers = headers)
print(r.json())
GET /JSON/ascan/action/setOptionMaxChartTimeInMins/
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
Integer | query | integer | true | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ascanActionSetOptionMaxResultsToList
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setOptionMaxResultsToList/?Integer=0 \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ascan/action/setOptionMaxResultsToList/?Integer=0");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ascan/action/setOptionMaxResultsToList/', params={
'Integer': '0'
}, headers = headers)
print(r.json())
GET /JSON/ascan/action/setOptionMaxResultsToList/
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
Integer | query | integer | true | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ascanActionSetOptionMaxRuleDurationInMins
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setOptionMaxRuleDurationInMins/?Integer=0 \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ascan/action/setOptionMaxRuleDurationInMins/?Integer=0");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ascan/action/setOptionMaxRuleDurationInMins/', params={
'Integer': '0'
}, headers = headers)
print(r.json())
GET /JSON/ascan/action/setOptionMaxRuleDurationInMins/
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
Integer | query | integer | true | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ascanActionSetOptionMaxScanDurationInMins
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setOptionMaxScanDurationInMins/?Integer=0 \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ascan/action/setOptionMaxScanDurationInMins/?Integer=0");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ascan/action/setOptionMaxScanDurationInMins/', params={
'Integer': '0'
}, headers = headers)
print(r.json())
GET /JSON/ascan/action/setOptionMaxScanDurationInMins/
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
Integer | query | integer | true | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ascanActionSetOptionMaxScansInUI
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setOptionMaxScansInUI/?Integer=0 \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ascan/action/setOptionMaxScansInUI/?Integer=0");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ascan/action/setOptionMaxScansInUI/', params={
'Integer': '0'
}, headers = headers)
print(r.json())
GET /JSON/ascan/action/setOptionMaxScansInUI/
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
Integer | query | integer | true | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ascanActionSetOptionPromptInAttackMode
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setOptionPromptInAttackMode/?Boolean=true \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ascan/action/setOptionPromptInAttackMode/?Boolean=true");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ascan/action/setOptionPromptInAttackMode/', params={
'Boolean': 'true'
}, headers = headers)
print(r.json())
GET /JSON/ascan/action/setOptionPromptInAttackMode/
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
Boolean | query | boolean | true | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ascanActionSetOptionPromptToClearFinishedScans
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setOptionPromptToClearFinishedScans/?Boolean=true \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ascan/action/setOptionPromptToClearFinishedScans/?Boolean=true");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ascan/action/setOptionPromptToClearFinishedScans/', params={
'Boolean': 'true'
}, headers = headers)
print(r.json())
GET /JSON/ascan/action/setOptionPromptToClearFinishedScans/
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
Boolean | query | boolean | true | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ascanActionSetOptionRescanInAttackMode
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setOptionRescanInAttackMode/?Boolean=true \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ascan/action/setOptionRescanInAttackMode/?Boolean=true");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ascan/action/setOptionRescanInAttackMode/', params={
'Boolean': 'true'
}, headers = headers)
print(r.json())
GET /JSON/ascan/action/setOptionRescanInAttackMode/
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
Boolean | query | boolean | true | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ascanActionSetOptionScanHeadersAllRequests
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setOptionScanHeadersAllRequests/?Boolean=true \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ascan/action/setOptionScanHeadersAllRequests/?Boolean=true");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ascan/action/setOptionScanHeadersAllRequests/', params={
'Boolean': 'true'
}, headers = headers)
print(r.json())
GET /JSON/ascan/action/setOptionScanHeadersAllRequests/
Sets whether or not the HTTP Headers of all requests should be scanned. Not just requests that send parameters, through the query or request body.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
Boolean | query | boolean | true | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ascanActionSetOptionScanNullJsonValues
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setOptionScanNullJsonValues/?Boolean=true \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ascan/action/setOptionScanNullJsonValues/?Boolean=true");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ascan/action/setOptionScanNullJsonValues/', params={
'Boolean': 'true'
}, headers = headers)
print(r.json())
GET /JSON/ascan/action/setOptionScanNullJsonValues/
Sets whether or not the active scanner should scan null JSON values.
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
Boolean | query | boolean | true | true to scan null values, false otherwise. |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ascanActionSetOptionShowAdvancedDialog
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setOptionShowAdvancedDialog/?Boolean=true \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ascan/action/setOptionShowAdvancedDialog/?Boolean=true");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ascan/action/setOptionShowAdvancedDialog/', params={
'Boolean': 'true'
}, headers = headers)
print(r.json())
GET /JSON/ascan/action/setOptionShowAdvancedDialog/
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
Boolean | query | boolean | true | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ascanActionSetOptionTargetParamsEnabledRPC
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setOptionTargetParamsEnabledRPC/?Integer=0 \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ascan/action/setOptionTargetParamsEnabledRPC/?Integer=0");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ascan/action/setOptionTargetParamsEnabledRPC/', params={
'Integer': '0'
}, headers = headers)
print(r.json())
GET /JSON/ascan/action/setOptionTargetParamsEnabledRPC/
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
Integer | query | integer | true | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ascanActionSetOptionTargetParamsInjectable
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setOptionTargetParamsInjectable/?Integer=0 \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ascan/action/setOptionTargetParamsInjectable/?Integer=0");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ascan/action/setOptionTargetParamsInjectable/', params={
'Integer': '0'
}, headers = headers)
print(r.json())
GET /JSON/ascan/action/setOptionTargetParamsInjectable/
Parameters
Name | In | Type | Required | Description |
---|---|---|---|---|
Integer | query | integer | true | none |
Example responses
default Response
{
"code": "string",
"message": "string",
"detail": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
default | Default | Error of JSON endpoints. | ErrorJson |
ascanActionSetOptionThreadPerHost
Code samples
# You can also use wget
curl -X GET http://zap/JSON/ascan/action/setOptionThreadPerHost/?Integer=0 \
-H 'Accept: application/json'
URL obj = new URL("http://zap/JSON/ascan/action/setOptionThreadPerHost/?Integer=0");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get('http://zap/JSON/ascan/action/setOptionThreadPerHost/', params={
'Integer': '0'
}, headers = headers)
pri