Introduction to ZAP API

ZAP API is a great way of automating and scripting your security testing tasks. In this article, we are going to explore some of the API examples in JavaScript.

Getting Started

To start using the ZAP API, you need to first start the ZAP daemon. You can start the ZAP daemon by running the following command:

$ zap.sh -daemon

Once the daemon is running, you can connect to it using the API.

Example API Calls

Spider a Website

The following code will start a new spider scan on the target URL:

const ZAPClient = require('zap-client-js');
const zapApiKey = 'yourApiKey';

ZAPClient({
    apiKey: zapApiKey,
    ajaxAspects: ['*']
}).then(async (zapClient) => {
    const spider = zapClient.spider;
    await spider.scan(targetUrl);
});

Passive Scanning

The following code will start a new passive scanning session:

const ZAPClient = require('zap-client-js');
const zapApiKey = 'yourApiKey';

ZAPClient({
    apiKey: zapApiKey,
    ajaxAspects: ['*']
}).then(async (zapClient) => {
    const passiveScanner = zapClient.pscan;
    await passiveScanner.scan(targetUrl);
});

Active Scanning

The following code will start a new active scanning session:

const ZAPClient = require('zap-client-js');
const zapApiKey = 'yourApiKey';

ZAPClient({
    apiKey: zapApiKey,
    ajaxAspects: ['*']
}).then(async (zapClient) => {
    const activeScanner = zapClient.ascan;
    await activeScanner.scan(targetUrl);
});

Getting a List of Alerts

The following code will retrieve a list of alerts that were generated during the scanning session:

const ZAPClient = require('zap-client-js');
const zapApiKey = 'yourApiKey';

ZAPClient({
    apiKey: zapApiKey,
    ajaxAspects: ['*']
}).then(async (zapClient) => {
    const alerts = await zapClient.getAlerts(targetUrl);
    console.log(alerts);
});

Conclusion

In this article, we explored some common ZAP API calls using JavaScript. ZAP API is a powerful tool that can help you automate your security testing tasks.