Powered byAlgolia
BlogBookmarksSubmit

Zaproxy

Security

Introduction to ZAP API

ZAP API is a great way of automating and scripting your security testing tasks. In this article, we are going to explore some of the API examples in JavaScript.

Getting Started

To start using the ZAP API, you need to first start the ZAP daemon. You can start the ZAP daemon by running the following command:

$ zap.sh -daemon

Once the daemon is running, you can connect to it using the API.

Example API Calls

Spider a Website

The following code will start a new spider scan on the target URL:

const ZAPClient = require('zap-client-js');
const zapApiKey = 'yourApiKey';

ZAPClient({
    apiKey: zapApiKey,
    ajaxAspects: ['*']
}).then(async (zapClient) => {
    const spider = zapClient.spider;
    await spider.scan(targetUrl);
});

Passive Scanning

The following code will start a new passive scanning session:

const ZAPClient = require('zap-client-js');
const zapApiKey = 'yourApiKey';

ZAPClient({
    apiKey: zapApiKey,
    ajaxAspects: ['*']
}).then(async (zapClient) => {
    const passiveScanner = zapClient.pscan;
    await passiveScanner.scan(targetUrl);
});

Active Scanning

The following code will start a new active scanning session:

const ZAPClient = require('zap-client-js');
const zapApiKey = 'yourApiKey';

ZAPClient({
    apiKey: zapApiKey,
    ajaxAspects: ['*']
}).then(async (zapClient) => {
    const activeScanner = zapClient.ascan;
    await activeScanner.scan(targetUrl);
});

Getting a List of Alerts

The following code will retrieve a list of alerts that were generated during the scanning session:

const ZAPClient = require('zap-client-js');
const zapApiKey = 'yourApiKey';

ZAPClient({
    apiKey: zapApiKey,
    ajaxAspects: ['*']
}).then(async (zapClient) => {
    const alerts = await zapClient.getAlerts(targetUrl);
    console.log(alerts);
});

Conclusion

In this article, we explored some common ZAP API calls using JavaScript. ZAP API is a powerful tool that can help you automate your security testing tasks.

Related APIs

FilterLists

Security

FilterLists is a community-driven website that offers a curated list of ad-blocking and privacy-enhancing browser extensions. The website provides an extensive collection of filter lists that users can add to their ad-blocker to improve their online privacy and security. FilterLists has a user-friendly interface that enables users to easily browse through the different filter lists and select the ones that suit their needs. In addition, the website also provides a submission process for filter lists, allowing users to suggest new lists or report issues with existing ones. Overall, FilterLists is a valuable resource for users looking to enhance their online privacy and security.

UK Police

Security

UK Police data. The API provides a rich data source for information, including: Neighbourhood team members. Upcoming events. Street-level crime and outcome data. Nearest police stations The API is implemented as a standard JSON web service using HTTP GET and POST requests. Full request and response examples are provided in the documentation.

HaveIBeenPwned

Security

Passwords which have previously been exposed in data breaches. The API allows the list of pwned accounts (email addresses and usernames) to be quickly searched via a RESTful service.

SecurityTrails

Security

Domain and IP related information such as current and historical WHOIS and DNS records. SecurityTrails currently offers three different products that can help you enrich your data, search for information, and find relevant security information for organizations in no time: Security Trails API, Accessing the Security Trails REST API and data format.

National Vulnerability Database

Security

U.S. National Vulnerability Database. A weakness in the computational logic (e.g., code) found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity, or availability. Mitigation of the vulnerabilities in this context typically involves coding changes, but could also include specification changes or even specification deprecations (e.g., removal of affected protocols or functionality in their entirety).

Shodan

Security

Search engine for Internet connected devices. Use the API to automatically generate reports, notify you if something popped up on Shodan or keep track of results over time. The Streaming API gives you the ability to subscribe to events in real-time so you can immediately respond to new discoveries.

FilterLists

Security

Lists of filters for adblockers and firewalls. Make a simple call to the api and it will list all blockers and firewalls in a JSON file. Easy, simple and fast way to integrate ads / lucrative content to your website.

censys

Security

Search engine for Internet connected devices. Identify, investigate and remediate all relevant risks to your attack surface Discover the “unknown unknowns” on your network, including: Exposed Internal Services, Exposed Login Services, Out-of-date TLS configurations, and other risky entry points for attackers.

Virus Scan APIs

Security

Virus API lets you scan files and content for viruses and identify security issues with content. The most powerful and cost effective cloud APIs, continuously improved. Optical Character Recognition API, Document and Data Conversion API, Validate API to check if an Email is real, image and face recognition and processing API, Barcode APIs, voice recognition and speech apis.

AWS Serverless Kit

Developer Tool

Deploy your app in minutes with AWS best practices

Search API

Data Access

Real-time Google, YouTube & Amazon SERP API for easy SERP scraping.

ipstack

Geocoding

Locate and identify website visitors by IP address.

Exchangerate API

Currency Exchange

JSON API for foreign exchange rates and currency conversion

Weatherstack

Weather

Retrieve instant, accurate weather information for any location in the world in lightweight JSON format