ZAP provides an Application Programming Interface (API) which allows you to interact with ZAP programmatically.

The API is available in JSON, HTML and XML formats.
A simple web UI which allows you to explore and use the API is available via the URL http://zap/ when you are proxying via ZAP, or via the host and port ZAP is listening on, eg http://localhost:8080/.

By default only the machine ZAP is running on is able to access the API. You can allow other machines, that are able to use ZAP as a proxy, access to the API. The API is configured using the Options API screen.

The API provides access to most of the core ZAP features such as the active scanner.
Future versions of ZAP will increase the functionality available via the APi.

File Transfer

Many API endpoints allow you to load or save files to and from the file system.

The core API also supports uploading and downloading files, but this is disabled by default as a security measure. If an attacker is able to access the ZAP API then with this feature enabled they would be able to upload their own script to ZAP and then run it. ZAP scripts run with the same permissions as ZAP and so this is full remote code execution access.

To enable file transfer you will need to have an API key set and to enable it via the Options API screen. You can also enable file transfers via the command line as explained in the help for that screen.

With file transfer enabled you will be able to upload text files to the Transfer Directory using the ‘fileUpload’ ‘other’ endpoint and download them from there using the ‘fileDownload’ ‘other’ endpoint. You can specify subdirectories (e.g. “subdir/myfile”) but any attempt to upload or download a file to or from another directory (e.g. using “../../”) will be rejected. The ‘fileUpload’ endpoint only accepts POST requests and you should use an encoding of either “multipart/form-data” or “application/x-www-form-urlencoded”. The web UI allows you to select and upload local files.

Curl example for uploading a file:

curl \
    -F fileContents=@/full/path/to/file/to/be/uploaded \
    -F apikey=your-api-key \
    -F fileName=destination-filename \

To download a file generated by another API endpoint you will need to specify a file name/path starting with “${XFER}”. For example you could export a context to “${XFER}/contexts/my.context” and then download it by specifying “contexts/my.context”.

To upload a file to another API endpoint you need to do the reverse - first upload it, e.g. to “plans/myplan.yaml”, and then import it via the path “${XFER}/plans/myplan.yaml”.

See also

UI Overview for an overview of the user interface
API Overview for an overview of the API
Features provided by ZAP