ZAP API Guide
User Manual:
Open the PDF directly: View PDF .
Page Count: 29
Download | |
Open PDF In Browser | View PDF |
ZAP API Guide Version 1.0 ZAP API Guide> Overview > API Client Generation Contents 1. Overview ..................................................................................................................................................... 2 1.1. 2. Getting Started ........................................................................................................................................... 3 2.1. 3. 5. Configure Zap To Run Locally ............................................................................................................ 3 2.1.1. Browser configuration: ................................................................................................................. 3 2.1.2. Configuring ZAP ............................................................................................................................ 3 The Zap API UI ............................................................................................................................................. 5 3.1. 4. API Client Generation ....................................................................................................................... 2 Standard API URLS ............................................................................................................................ 5 How to Perform Tasks................................................................................................................................. 6 4.1. Perform A Spider Scan ...................................................................................................................... 6 4.2. View The Status Of A Spider Scan ..................................................................................................... 6 4.3. View The Results Of A Spider Scan ................................................................................................... 6 ZAP API Functions ....................................................................................................................................... 7 5.1. Components...................................................................................................................................... 7 5.2. Views & Actions ................................................................................................................................ 8 1 ZAP API Guide> Overview > API Client Generation 1. Overview Welcome to the ZAP API. ZAP provides a REST Application Programming Interface (API) which allows you to interact with ZAP programmatically. The REST API can be accessed directly or via one of the client implementations detailed below. It is documented briefly in the ZAP user guide 1.1. API Client Generation The ZAP API clients are created via code generation - this makes them much easier to maintain. Language Java Python Node.js Download Links GitHub PyPI NPM PHP GitHub Packagist Ruby GitHub Notes Official API Official API In process of becoming an official API In process of becoming an official API 2 ZAP API Guide> Getting Started > Configure Zap To Run Locally 2. Getting Started In order to be able to use the API when using the ZAP UI you have to first enable it. 1. Select Tools > Options to open the Options window 2. From the list on the left, select API 3. Check the Enabled box 4. Check the UI Enabled box 5. Copy the API Key for use later |If you run ZAP in 'headless' mode via the command line or 'daemon' mode using |API will be automatically enabled. the -daemon flag then the 2.1. Configure Zap To Run Locally Open your preferred browser and set up the proxy. The browser and ZAP need to have the same proxy settings. 2.1.1. BROWSER CONFIGURATION: In Chrome to do the following: 1. Open the Chrome menu and select 'Settings' 2. Select 'Advanced' 3. Scroll down to 'System' and select 'Open proxy settings' 4. Ensure the 'Connections' tab is selected and click 'LAN Settings' 5. Select 'Use a proxy server for your LAN' 6. Enter the 'Address' e.g. localhost 127.0.0.1 and 'Port' number e.g. 8080 8. Click 'OK' to close the 'LAN Settings' dialog box 9. Click 'OK' to close the Internet Properties dialog box 2.1.2. CONFIGURING ZAP 1. Start ZAP and select Tools > Options > Local Proxy Make sure the port is set to 8080 (or the port you have configured in your browser) 2. Open any website using SSL in your browser and make sure the site shows up in the sites list If ZAP runs on localhost port 8080 3 ZAP API Guide> Getting Started > Configure Zap To Run Locally Go to your browser and open http://localhost:8080 You should see the following page: 4 ZAP API Guide> The Zap API UI > Standard API URLS 3. The Zap API UI From the ‘Welcome page’, select ‘Local API’ to view a list of all the functionalities exposed via the ZAP API. These are known as Components. Selecting a component reveals API related ‘Views’ and ‘Actions’. VIEWS : return information ACTIONS : control ZAP The API is available in JSON, XML and HTML formats. The ZAP API UI is one way to interact with the ZAP API. 3.1. Standard API URLS It is useful to copy API URLS into a text editor for later testing. The API URLs are of the form: http://zap// / / [/? ] The format can be 'JSON', 'XML' or 'HTML' example: http://localhost:8080/JSON/spider/action/scan/?zapapiformat=JSON&Method=GET&url=http%3A%2F%2F webscantest.com&maxChildren=1&recurse=&contextName=&subtreeOnly= In the above example, the following applies: Format Component Operation Action Parameters JSON spider Action Scan url (http://www.webscantest.com) maxChildren (1) recurse context (not set) Name (not set) subtreeOnly (not set) 5 ZAP API Guide> How to Perform Tasks > Perform A Spider Scan 4. How to Perform Tasks The following are examples of tasks that can be performed via the ZAP API UI. 4.1. Perform A Spider Scan To perform a spider on an application that is running locally, do the following: 1. 2. 3. 4. Open the ZAP API UI here: http://localhost:8080 Select ‘Local API’ to view the list of components Select ‘spider’ From the list of ‘Actions’, select ‘scan (url maxChildren recurse contextName subtreeOnly )’ to open the following dialog: 5. Paste the apikey that you copied earlier. (If you no longer have it go to ZAP > Tools > Options and select API on the left) Enter the URL required e.g. http://webscantest.com Assign values for the other fields as required. Click ‘scan’ to perform the scan, you will see a confirmation such as “scan=1” 6. 7. 8. 4.2. View The Status Of A Spider Scan 1. 2. 3. From the spider component, scroll down the list of ‘Views’ Select status(scanID) Paste the apikey. Enter a scan ID if required. You will see the following message if the scan is completed: "status":"100" 4.3. View The Results Of A Spider Scan 1. 2. 3. From the spider component, scroll down the list of ‘Views’ Select results(scanID) Paste the apikey. Enter a scan ID if required. You will see the results of your scan. 6 ZAP API Guide> ZAP API Functions > Components 5. ZAP API Functions All components of ZAP can be interacted with as required using the basic ingredients of Components, Views and Actions. 5.1. Components The following components are able to be interacted with via the ZAP API. Component acsrf ajaxSpider alertFilter ascan authentication authorization autoupdate break context core forcedUser httpSessions importurls keyboard localProxies params pnh pscan quickstartlaunch replacer reveal ruleConfig script search selenium sessionManagement spider Description anti CSRF tokens to protect against-Cross Site Request Forgery (CSRF) attacks. AJAX Spider uses crawljax to crawl AJAX rich sites. Alert Filters allow you to automatically override the risk levels of any alerts raised by the active and passive scan rules within a context. Active scanning attempts to find potential vulnerabilities by using known attacks against the selected targets. Handles multiple types of authentication for websites / webapps authorization detection method set for a context. Automatic updates Manages breakpoints during interception Manages urls to include or exclude Core ZAP features Forced Browsing user settings keeps track of the existing HTTP Sessions import a file of URLs configure keyboard shortcuts configure the addresses and ports on which ZAP accepts incoming connections. parameters for a site or all sites Plug-n-Hack allows you to monitor client (browser) events in order to help test HTML5 applications Configure passive scanner Perform a quick scan replace strings in requests and responses. show hidden fields and enable disabled fields configure the behaviour of specific active and passive scan rules. run scripts that can be embedded within ZAP and can access internal ZAP data structures. search for regular expressions in all of the URLs, requests, responses, headers set and view the paths to the required WebDrivers and binary. handles multiple types of session management (called Session Management Methods) that can be used for websites / webapps. automatically discover new resources (URLs) on a particular Site. 7 ZAP API Guide> ZAP API Functions > Views & Actions Component stats users Description access to the stats now maintained by ZAP. representations of websites/webapps' users. They allow certain actions to be performed from the point of view of an user of the webapps can be used by web applications or web sites to setup a bi-directional (two-way), full duplex communication channel over a single TCP connection. websocket 5.2. Views & Actions The following views and actions are possible for the above listed components. Component acsrf Name optionTokensNames Type view Parameters acsrf addOptionToken action String* acsrf removeOptionToken action String* acsrf genForm other hrefId* pscan scanOnlyInScope view pscan recordsToScan view pscan scanners view pscan setEnabled action enabled* pscan setScanOnlyInScope action onlyInScope* pscan enableAllScanners action pscan disableAllScanners action pscan enableScanners action ids* pscan disableScanners action ids* Description Lists the names of all antiCSRF tokens Adds an anti-CSRF token with the given name, enabled by default Removes the anti-CSRF token with the given name Generate a form for testing lack of anti-CSRF tokens typically invoked via ZAP Tells whether or not the passive scan should be performed only on messages that are in scope. The number of records the passive scanner still has to scan Lists all passive scanners with its ID, name, enabled state and alert threshold. Sets whether or not the passive scanning is enabled (Note: the enabled state is not persisted). Sets whether or not the passive scan should be performed only on messages that are in scope. Enables all passive scanners Disables all passive scanners Enables all passive scanners with the given IDs (comma separated list of IDs) Disables all passive scanners with the given IDs (comma separated list of IDs) 8 ZAP API Guide> ZAP API Functions > Views & Actions Component pscan Name setScannerAlertThreshold Type action Parameters id* alertThreshold* search urlsByUrlRegex view search urlsByRequestRegex view search urlsByResponseRegex view search urlsByHeaderRegex view search messagesByUrlRegex view search messagesByRequestRegex view search messagesByResponseRegex view search messagesByHeaderRegex view search harByUrlRegex other search harByRequestRegex other search harByResponseRegex other search harByHeaderRegex other regex* baseurl start count regex* baseurl start count regex* baseurl start count regex* baseurl start count regex* baseurl start count regex* baseurl start count regex* baseurl start count regex* baseurl start count regex* baseurl start count regex* baseurl start count regex* baseurl start count regex* baseurl start count autoupdate latestVersionNumber view autoupdate isLatestVersion view autoupdate installedAddons view autoupdate newAddons view autoupdate updatedAddons view autoupdate marketplaceAddons view autoupdate optionAddonDirectories view autoupdate optionDayLastChecked view autoupdate optionDayLastInstallWarned view autoupdate optionDayLastUpdateWarne d view Description Sets the alert threshold of the passive scanner with the given ID, accepted values for alert threshold: OFF, DEFAULT, LOW, MEDIUM and HIGH Returns the latest version number Returns 'true' if ZAP is on the latest version Return a list of all of the installed add-ons Return a list of any add-ons that have been added to the Marketplace since the last check for updates Return a list of any add-ons that have been changed in the Marketplace since the last check for updates Return a list of all of the add-ons on the ZAP Marketplace (this information is read once and then cached) 9 ZAP API Guide> ZAP API Functions > Views & Actions Component autoupdate Name optionDownloadDirectory Type view autoupdate optionCheckAddonUpdates view autoupdate optionCheckOnStart view autoupdate view autoupdate optionDownloadNewReleas e optionInstallAddonUpdates autoupdate optionInstallScannerRules view autoupdate optionReportAlphaAddons view autoupdate optionReportBetaAddons view autoupdate optionReportReleaseAddons view autoupdate downloadLatestRelease action autoupdate installAddon action id* autoupdate uninstallAddon action id* autoupdate setOptionCheckAddonUpdat es setOptionCheckOnStart action Boolean* action Boolean* action Boolean* action Boolean* action Boolean* action Boolean* action Boolean* action Boolean* spider setOptionDownloadNewRel ease setOptionInstallAddonUpdat es setOptionInstallScannerRule s setOptionReportAlphaAddo ns setOptionReportBetaAddon s setOptionReportReleaseAdd ons status view scanId spider results view scanId spider fullResults view scanId* spider scans view spider excludedFromScan view spider allUrls view spider addedNodes view autoupdate autoupdate autoupdate autoupdate autoupdate autoupdate autoupdate Parameters Description view scanId Downloads the latest release, if any Installs or updates the specified add-on, returning when complete (ie not asynchronously) Uninstalls the specified add-on Gets the regexes of URLs excluded from the spider scans. Returns a list of unique URLs from the history table based on HTTP messages added by the Spider. Returns a list of the names of the nodes added to the Sites tree by the specified scan. 10 ZAP API Guide> ZAP API Functions > Views & Actions Component spider Name domainsAlwaysInScope Type view spider optionDomainsAlwaysInSco pe view spider optionDomainsAlwaysInSco peEnabled view spider optionHandleParameters view spider optionMaxChildren view spider optionMaxDepth view spider optionMaxDuration view spider optionMaxParseSizeBytes view spider optionMaxScansInUI view spider optionRequestWaitTime view spider optionScope view spider optionScopeText view spider optionSkipURLString view spider optionThreadCount view spider optionUserAgent view spider optionAcceptCookies view spider view spider optionHandleODataParamet ersVisited optionParseComments spider optionParseGit view spider optionParseRobotsTxt view spider optionParseSVNEntries view spider optionParseSitemapXml view spider optionPostForm view spider optionProcessForm view spider optionSendRefererHeader view spider optionShowAdvancedDialog view Parameters Description Gets all the domains that are always in scope. For each domain the following are shown: the index, the value (domain), if enabled, and if specified as a regex. Use view domainsAlwaysInScope instead. Use view domainsAlwaysInScope instead. Gets the maximum number of child nodes (per node) that can be crawled, 0 means no limit. Gets the maximum size, in bytes, that a response might have to be parsed. Gets whether or not a spider process should accept cookies while spidering. view Gets whether or not the 'Referer' header should be sent while spidering. 11 ZAP API Guide> ZAP API Functions > Views & Actions Component spider Name scan Type action Parameters url maxChildren recurse contextName subtreeOnly spider scanAsUser action contextId* userId* url maxChildren recurse subtreeOnly spider pause action scanId* spider resume action scanId* spider stop action scanId spider removeScan action scanId* spider pauseAllScans action spider resumeAllScans action spider stopAllScans action spider removeAllScans action spider clearExcludedFromScan action spider excludeFromScan action regex* spider addDomainAlwaysInScope action value* isRegex isEnabled Description Runs the spider against the given URL (or context). Optionally, the 'maxChildren' parameter can be set to limit the number of children scanned, the 'recurse' parameter can be used to prevent the spider from seeding recursively, the parameter 'contextName' can be used to constrain the scan to a Context and the parameter 'subtreeOnly' allows to restrict the spider under a site's subtree (using the specified 'url'). Runs the spider from the perspective of a User, obtained using the given Context ID and User ID. See 'scan' action for more details. Clears the regexes of URLs excluded from the spider scans. Adds a regex of URLs that should be excluded from the spider scans. Adds a new domain that's always in scope, using the specified value. Optionally sets if the new entry is enabled (default, true) and whether or not the new value is specified as a regex (default, false). 12 ZAP API Guide> ZAP API Functions > Views & Actions Component spider Name modifyDomainAlwaysInScop e Type action Parameters idx* value isRegex isEnabled spider removeDomainAlwaysInSco pe action idx* spider action spider enableAllDomainsAlwaysInS cope disableAllDomainsAlwaysInS cope setOptionHandleParameters action String* spider spider setOptionScopeString setOptionSkipURLString action action String* String* spider setOptionUserAgent action String* spider setOptionAcceptCookies action Boolean* spider action Boolean* spider setOptionHandleODataPara metersVisited setOptionMaxChildren action Integer* spider setOptionMaxDepth action Integer* spider setOptionMaxDuration action Integer* spider setOptionMaxParseSizeByte s action Integer* spider setOptionMaxScansInUI action Integer* spider setOptionParseComments action Boolean* spider setOptionParseGit action Boolean* spider setOptionParseRobotsTxt action Boolean* spider setOptionParseSVNEntries action Boolean* spider setOptionParseSitemapXml action Boolean* spider setOptionPostForm action Boolean* spider setOptionProcessForm action Boolean* spider setOptionRequestWaitTime action Integer* spider action Description Modifies a domain that's always in scope. Allows to modify the value, if enabled or if a regex. The domain is selected with its index, which can be obtained with the view domainsAlwaysInScope. Removes a domain that's always in scope, with the given index. The index can be obtained with the view domainsAlwaysInScope. Enables all domains that are always in scope. Disables all domains that are always in scope. Use actions [add Sets whether or not a spider process should accept cookies while spidering. Sets the maximum number of child nodes (per node) that can be crawled, 0 means no limit. Sets the maximum size, in bytes, that a response might have to be parsed. This allows the spider to skip big responses/files. 13 ZAP API Guide> ZAP API Functions > Views & Actions Component spider Name setOptionSendRefererHeade r Type action Parameters Boolean* Description Sets whether or not the 'Referer' header should be sent while spidering. spider action Boolean* spider setOptionShowAdvancedDia log setOptionThreadCount action Integer* core alert view id* core alerts view baseurl start count riskId core alertsSummary view baseurl core numberOfAlerts view baseurl riskId core hosts view core sites view core urls view baseurl core message view id* core messages view baseurl start count core messagesById view ids* core numberOfMessages view baseurl core mode view Gets the alert with the given ID, the corresponding HTTP message can be obtained with the 'messageId' field and 'message' API method Gets the alerts raised by ZAP, optionally filtering by URL or riskId, and paginating with 'start' position and 'count' of alerts Gets number of alerts grouped by each risk level, optionally filtering by URL Gets the number of alerts, optionally filtering by URL or riskId Gets the name of the hosts accessed through/by ZAP Gets the sites accessed through/by ZAP (scheme and domain) Gets the URLs accessed through/by ZAP, optionally filtering by (base) URL. Gets the HTTP message with the given ID. Returns the ID, request/response headers and bodies, cookies, note, type, RTT, and timestamp. Gets the HTTP messages sent by ZAP, request and response, optionally filtered by URL and paginated with 'start' position and 'count' of messages Gets the HTTP messages with the given IDs. Gets the number of messages, optionally filtering by URL Gets the mode core version view Gets ZAP version 14 ZAP API Guide> ZAP API Functions > Views & Actions Component core Name excludedFromProxy Type view core homeDirectory view core sessionLocation view core proxyChainExcludedDomain s view core optionProxyChainSkipName view core optionProxyExcludedDomai ns view core optionProxyExcludedDomai nsEnabled view core zapHomePath view core optionMaximumAlertInstan ces view core optionMergeRelatedAlerts view core optionAlertOverridesFilePat h optionDefaultUserAgent view view core optionDnsTtlSuccessfulQueri es optionHttpState core optionProxyChainName view core optionProxyChainPassword view core optionProxyChainPort view core optionProxyChainRealm view core optionProxyChainUserName view core optionTimeoutInSecs view core optionHttpStateEnabled view core core view Parameters Description Gets the regular expressions, applied to URLs, to exclude from the local proxies. Gets the location of the current session file Gets all the domains that are excluded from the outgoing proxy. For each domain the following are shown: the index, the value (domain), if enabled, and if specified as a regex. Use view proxyChainExcludedDomai ns instead. Use view proxyChainExcludedDomai ns instead. Use view proxyChainExcludedDomai ns instead. Gets the path to ZAP's home directory. Gets the maximum number of alert instances to include in a report. Gets whether or not related alerts will be merged in any reports generated. Gets the path to the file with alert overrides. Gets the user agent that ZAP should use when creating HTTP messages (for example, spider messages or CONNECT requests to outgoing proxy). Gets the TTL (in seconds) of successful DNS queries. view 15 ZAP API Guide> ZAP API Functions > Views & Actions Component core Name optionProxyChainPrompt Type view Parameters Description core view core optionSingleCookieRequest Header optionUseProxyChain core optionUseProxyChainAuth view core accessUrl action url* followRedirects Convenient and simple action to access a URL, optionally following redirections. Returns the request sent and response received and followed redirections, if any. Other actions are available which offer more control on what is sent, like, 'sendRequest' or 'sendHarRequest'. Shuts down ZAP core shutdown action core newSession action name overwrite loadSession action name* core saveSession action name* overwrite Creates a new session, optionally overwriting existing files. If a relative path is specified it will be resolved against the "session" directory in ZAP "home" dir. Loads the session with the given name. If a relative path is specified it will be resolved against the "session" directory in ZAP "home" dir. Saves the session with the name supplied, optionally overwriting existing files. If a relative path is specified it will be resolved against the "session" directory in ZAP "home" dir. core core snapshotSession action core clearExcludedFromProxy action core excludeFromProxy action regex* core setHomeDirectory action dir* core setMode action mode* core generateRootCA action view Clears the regexes of URLs excluded from the local proxies. Adds a regex of URLs that should be excluded from the local proxies. Sets the mode, which may be one of [safe, protect, standard, attack] Generates a new Root CA certificate for the local proxies. 16 ZAP API Guide> ZAP API Functions > Views & Actions Component core Name sendRequest Type action Parameters request* followRedirects core deleteAllAlerts action core deleteAlert action core runGarbageCollection action core deleteSiteNode action url* method postData core addProxyChainExcludedDom ain action value* isRegex isEnabled core modifyProxyChainExcludedD omain action idx* value isRegex isEnabled core removeProxyChainExcluded Domain action idx* core enableAllProxyChainExclude dDomains action core disableAllProxyChainExclude dDomains action id* Description Sends the HTTP request, optionally following redirections. Returns the request sent and response received and followed redirections, if any. The Mode is enforced when sending the request (and following redirections), custom manual requests are not allowed in 'Safe' mode nor in 'Protected' mode if out of scope. Deletes all alerts of the current session. Deletes the alert with the given ID. Deletes the site node found in the Sites Tree on the basis of the URL, HTTP method, and post data (if applicable and specified). Adds a domain to be excluded from the outgoing proxy, using the specified value. Optionally sets if the new entry is enabled (default, true) and whether or not the new value is specified as a regex (default, false). Modifies a domain excluded from the outgoing proxy. Allows to modify the value, if enabled or if a regex. The domain is selected with its index, which can be obtained with the view proxyChainExcludedDomai ns. Removes a domain excluded from the outgoing proxy, with the given index. The index can be obtained with the view proxyChainExcludedDomai ns. Enables all domains excluded from the outgoing proxy. Disables all domains excluded from the outgoing proxy. 17 ZAP API Guide> ZAP API Functions > Views & Actions Component core Name setOptionMaximumAlertInst ances Type action Parameters numberOfInstanc es* core setOptionMergeRelatedAler ts action enabled* core setOptionAlertOverridesFile Path action filePath core setOptionDefaultUserAgent action String* core setOptionProxyChainName action String* core setOptionProxyChainPasswo rd setOptionProxyChainRealm action String* action String* setOptionProxyChainSkipNa me setOptionProxyChainUserNa me setOptionDnsTtlSuccessfulQ ueries action String* action String* action Integer* core setOptionHttpStateEnabled action Boolean* core setOptionProxyChainPort action Integer* core setOptionProxyChainPrompt action Boolean* core action Boolean* core setOptionSingleCookieRequ estHeader setOptionTimeoutInSecs action Integer* core setOptionUseProxyChain action Boolean* core action Boolean* core setOptionUseProxyChainAut h proxy.pac core rootcert other core setproxy other core xmlreport other core htmlreport other core jsonreport other core core core core Description Sets the maximum number of alert instances to include in a report. A value of zero is treated as unlimited. Sets whether or not related alerts will be merged in any reports generated. Sets (or clears, if empty) the path to the file with alert overrides. Sets the user agent that ZAP should use when creating HTTP messages (for example, spider messages or CONNECT requests to outgoing proxy). Use actions [add Sets the TTL (in seconds) of successful DNS queries (applies after ZAP restart). Sets whether or not the outgoing proxy should be used. The address/hostname of the outgoing proxy must be set to enable this option. other Gets the Root CA certificate used by the local proxies. proxy* Generates a report in XML format Generates a report in HTML format Generates a report in JSON format 18 ZAP API Guide> ZAP API Functions > Views & Actions Component core Name mdreport Type other Parameters core messageHar other id* core messagesHar other baseurl start count core messagesHarById other ids* core sendHarRequest other request* followRedirects params params view site ascan status view scanId ascan scanProgress view scanId ascan messagesIds view scanId* ascan alertsIds view scanId* ascan scans view ascan scanPolicyNames view ascan excludedFromScan view ascan scanners view ascan policies view Description Generates a report in Markdown format Gets the message with the given ID in HAR format Gets the HTTP messages sent through/by ZAP, in HAR format, optionally filtered by URL and paginated with 'start' position and 'count' of messages Gets the HTTP messages with the given IDs, in HAR format. Sends the first HAR request entry, optionally following redirections. Returns, in HAR format, the request sent and response received and followed redirections, if any. The Mode is enforced when sending the request (and following redirections), custom manual requests are not allowed in 'Safe' mode nor in 'Protected' mode if out of scope. Shows the parameters for the specified site, or for all sites if the site is not specified Gets the IDs of the messages sent during the scan with the given ID. A message can be obtained with 'message' core view. Gets the IDs of the alerts raised during the scan with the given ID. An alert can be obtained with 'alert' core view. Gets the regexes of URLs excluded from the active scans. scanPolicyName policyId scanPolicyName policyId 19 ZAP API Guide> ZAP API Functions > Views & Actions Component ascan Name attackModeQueue Type view ascan excludedParams view ascan optionExcludedParamList view ascan excludedParamTypes view ascan optionAttackPolicy view ascan optionDefaultPolicy view ascan optionDelayInMs view ascan view ascan optionHandleAntiCSRFToke ns optionHostPerScan ascan optionMaxChartTimeInMins view ascan optionMaxResultsToList view ascan optionMaxRuleDurationInMi ns optionMaxScanDurationInM ins optionMaxScansInUI view view ascan optionTargetParamsEnabled RPC optionTargetParamsInjectab le optionThreadPerHost ascan optionAllowAttackOnStart view ascan optionInjectPluginIdInHeade r view ascan optionPromptInAttackMode view ascan optionPromptToClearFinishe dScans optionRescanInAttackMode view optionScanHeadersAllReque sts view ascan ascan ascan ascan ascan ascan Parameters Description Gets all the parameters that are excluded. For each parameter the following are shown: the name, the URL, and the parameter type. Use view excludedParams instead. Gets all the types of excluded parameters. For each type the following are shown: the ID and the name. view view view view view Tells whether or not the active scanner should inject the HTTP request header XZAP-Scan-ID, with the ID of the scanner that's sending the requests. view Tells whether or not the HTTP Headers of all requests should be scanned. Not just requests that send parameters, through the query or request body. 20 ZAP API Guide> ZAP API Functions > Views & Actions Component ascan Name optionShowAdvancedDialog Type view Parameters Description ascan scan action url recurse inScopeOnly scanPolicyName method postData contextId ascan scanAsUser action url contextId userId recurse scanPolicyName method postData Runs the active scanner against the given URL and/or Context. Optionally, the 'recurse' parameter can be used to scan URLs under the given URL, the parameter 'inScopeOnly' can be used to constrain the scan to URLs that are in scope (ignored if a Context is specified), the parameter 'scanPolicyName' allows to specify the scan policy (if none is given it uses the default scan policy), the parameters 'method' and 'postData' allow to select a given request in conjunction with the given URL. Active Scans from the perspective of a User, obtained using the given Context ID and User ID. See 'scan' action for more details. ascan pause action scanId* ascan resume action scanId* ascan stop action scanId* ascan removeScan action scanId* ascan pauseAllScans action ascan resumeAllScans action ascan stopAllScans action ascan removeAllScans action ascan clearExcludedFromScan action ascan excludeFromScan action regex* ascan enableAllScanners action scanPolicyName ascan disableAllScanners action scanPolicyName ascan enableScanners action ascan disableScanners action ascan setEnabledPolicies action ids* scanPolicyName ids* scanPolicyName ids* scanPolicyName Clears the regexes of URLs excluded from the active scans. Adds a regex of URLs that should be excluded from the active scans. 21 ZAP API Guide> ZAP API Functions > Views & Actions Component ascan Name setPolicyAttackStrength Type action ascan setPolicyAlertThreshold action ascan setScannerAttackStrength action ascan setScannerAlertThreshold action ascan addScanPolicy action ascan removeScanPolicy action ascan updateScanPolicy action ascan importScanPolicy action scanPolicyName* alertThreshold attackStrength path* ascan addExcludedParam action name* type url ascan modifyExcludedParam action idx* name type url ascan removeExcludedParam action idx* ascan skipScanner action scanId* scannerId* ascan setOptionAttackPolicy action String* ascan setOptionDefaultPolicy action String* ascan setOptionAllowAttackOnSta rt setOptionDelayInMs action Boolean* action Integer* ascan Parameters id* attackStrength* scanPolicyName id* alertThreshold* scanPolicyName id* attackStrength* scanPolicyName id* alertThreshold* scanPolicyName scanPolicyName* alertThreshold attackStrength scanPolicyName* Description Imports a Scan Policy using the given file system path. Adds a new parameter excluded from the scan, using the specified name. Optionally sets if the new entry applies to a specific URL (default, all URLs) and sets the ID of the type of the parameter (default, ID of any type). The type IDs can be obtained with the view excludedParamTypes. Modifies a parameter excluded from the scan. Allows to modify the name, the URL and the type of parameter. The parameter is selected with its index, which can be obtained with the view excludedParams. Removes a parameter excluded from the scan, with the given index. The index can be obtained with the view excludedParams. Skips the scanner using the given IDs of the scan and the scanner. 22 ZAP API Guide> ZAP API Functions > Views & Actions Component ascan Name setOptionHandleAntiCSRFTo kens setOptionHostPerScan Type action Parameters Boolean* action Integer* ascan setOptionInjectPluginIdInHe ader action Boolean* ascan setOptionMaxChartTimeInM ins setOptionMaxResultsToList action Integer* action Integer* setOptionMaxRuleDurationI nMins setOptionMaxScanDurationI nMins setOptionMaxScansInUI action Integer* action Integer* action Integer* setOptionPromptInAttackM ode setOptionPromptToClearFini shedScans setOptionRescanInAttackMo de setOptionScanHeadersAllRe quests action Boolean* action Boolean* action Boolean* action Boolean* action Boolean* action Integer* action Integer* ascan setOptionShowAdvancedDia log setOptionTargetParamsEnab ledRPC setOptionTargetParamsInjec table setOptionThreadPerHost action Integer* context contextList view context excludeRegexs view contextName* context includeRegexs view contextName* context context view contextName* context technologyList view context includedTechnologyList view contextName* context excludedTechnologyList view contextName* ascan ascan ascan ascan ascan ascan ascan ascan ascan ascan ascan ascan Description Sets whether or not the active scanner should inject the HTTP request header XZAP-Scan-ID, with the ID of the scanner that's sending the requests. Sets whether or not the HTTP Headers of all requests should be scanned. Not just requests that send parameters, through the query or request body. List context names of current session List excluded regexs for context List included regexs for context List the information about the named context Lists the names of all built in technologies Lists the names of all technologies included in a context Lists the names of all technologies excluded from a context 23 ZAP API Guide> ZAP API Functions > Views & Actions Component context Name excludeFromContext Type action context includeInContext action context newContext action Parameters contextName* regex* contextName* regex* contextName* context removeContext action contextName* context exportContext action contextName* contextFile* context importContext action contextFile* context includeContextTechnologies action context includeAllContextTechnologi es excludeContextTechnologies action contextName* technologyName s* contextName* action contextName* technologyName s* context excludeAllContextTechnolog ies action contextName* context setContextInScope action contextName* booleanInScope* httpSessions sites view httpSessions sessions view site* session httpSessions activeSession view site* httpSessions sessionTokens view site* httpSessions createEmptySession action site* session httpSessions removeSession action site* session* httpSessions setActiveSession action site* session* context Description Add exclude regex to context Add include regex to context Creates a new context with the given name in the current session Removes a context in the current session Exports the context with the given name to a file. If a relative file path is specified it will be resolved against the "contexts" directory in ZAP "home" dir. Imports a context from a file. If a relative file path is specified it will be resolved against the "contexts" directory in ZAP "home" dir. Includes technologies with the given names, separated by a comma, to a context Includes all built in technologies in to a context Excludes technologies with the given names, separated by a comma, from a context Excludes all built in technologies from a context Sets a context to in scope (contexts are in scope by default) Gets all of the sites that have sessions. Gets the sessions for the given site. Optionally returning just the session with the given name. Gets the name of the active session for the given site. Gets the names of the session tokens for the given site. Creates an empty session for the given site. Optionally with the given name. Removes the session from the given site. Sets the given session as active for the given site. 24 ZAP API Guide> ZAP API Functions > Views & Actions Component httpSessions Name unsetActiveSession Type action Parameters site* httpSessions addSessionToken action httpSessions removeSessionToken action httpSessions setSessionTokenValue action httpSessions renameSession action site* sessionToken* site* sessionToken* site* session* sessionToken* tokenValue* site* oldSessionName* newSessionName * break isBreakAll view break isBreakRequest view break isBreakResponse view break httpMessage view break break action type* state* scope break setHttpMessage action httpHeader* httpBody break continue action break step action break drop action Description Unsets the active session of the given site. Adds the session token to the given site. Removes the session token from the given site. Sets the value of the session token of the given session for the given site. Renames the session of the given site. Returns True if ZAP will break on both requests and responses Returns True if ZAP will break on requests Returns True if ZAP will break on responses Returns the HTTP message currently intercepted (if any) Controls the global break functionality. The type may be one of: http-all, httprequest or http-response. The state may be true (for turning break on for the specified type) or false (for turning break off). Scope is not currently used. Overwrites the currently intercepted message with the data provided Submits the currently intercepted message and unsets the global request/response break points Submits the currently intercepted message, the next request or response will automatically be intercepted Drops the currently intercepted message 25 ZAP API Guide> ZAP API Functions > Views & Actions Component break Name addHttpBreakpoint Type action Parameters string* location* match* inverse* ignorecase* break removeHttpBreakpoint action string* location* match* inverse* ignorecase* authentication view authentication getSupportedAuthentication Methods getAuthenticationMethodCo nfigParams getAuthenticationMethod view authMethodNam e* contextId* authentication getLoggedInIndicator view contextId* authentication getLoggedOutIndicator view contextId* authentication setAuthenticationMethod action authentication setLoggedInIndicator action authentication setLoggedOutIndicator action authorization getAuthorizationDetectionM ethod view contextId* authMethodNam e* authMethodConfi gParams contextId* loggedInIndicator Regex* contextId* loggedOutIndicat orRegex* contextId* authorization setBasicAuthorizationDetect ionMethod action authentication view contextId* headerRegex bodyRegex statusCode logicalOperator Description Adds a custom HTTP breakpont. The string is the string to match. Location may be one of: url, request_header, request_body, response_header or response_body. Match may be: contains or regex. Inverse (match) may be true or false. Lastly, ignorecase (when matching the string) may be true or false. Removes the specified break point Obtains all the configuration of the authorization detection method that is currently set for a context. Sets the authorization detection method for a context as one that identifies un-authorized messages based on: the message's status code or a regex pattern in the response's header or body. Also, whether all conditions must match or just some can be specified via the logicalOperator parameter, which accepts two values: "AND" (default), "OR". 26 ZAP API Guide> ZAP API Functions > Views & Actions Component sessionManag ement sessionManag ement sessionManag ement sessionManag ement Name getSupportedSessionManag ementMethods getSessionManagementMet hodConfigParams getSessionManagementMet hod setSessionManagementMet hod Type view Parameters view methodName* view contextId* action users usersList view contextId* methodName* methodConfigPar ams contextId users getUserById view contextId userId users view contextId* view users getAuthenticationCredential sConfigParams getAuthenticationCredential s newUser users removeUser action users setUserEnabled action users setUserName action users setAuthenticationCredential s action contextId* userId* contextId* name* contextId* userId* contextId* userId* enabled* contextId* userId* name* contextId* userId* authCredentialsC onfigParams forcedUser isForcedUserModeEnabled view forcedUser getForcedUser view contextId* forcedUser setForcedUser action contextId* userId* forcedUser setForcedUserModeEnabled action boolean* script listEngines view script listScripts view script enable action scriptName* script disable action scriptName* users action Description Returns 'true' if 'forced user' mode is enabled, 'false' otherwise Gets the user (ID) set as 'forced user' for the given context (ID) Sets the user (ID) that should be used in 'forced user' mode for the given context (ID) Sets if 'forced user' mode should be enabled or not Lists the script engines available Lists the scripts available, with its engine, name, description, type and error state. Enables the script with the given name Disables the script with the given name 27 ZAP API Guide> ZAP API Functions > Views & Actions Component script Name load Type action Parameters scriptName* scriptType* scriptEngine* fileName* scriptDescription charset script remove action scriptName* script runStandAloneScript action scriptName* stats stats stats allSitesStats view view keyPrefix keyPrefix stats siteStats view site* keyPrefix stats optionStatsdHost view stats optionStatsdPort view stats optionStatsdPrefix view stats optionInMemoryEnabled view stats optionStatsdEnabled view stats stats clearStats setOptionStatsdHost action action keyPrefix String* stats setOptionStatsdPrefix action String* stats setOptionInMemoryEnabled action Boolean* stats setOptionStatsdPort action Integer* Description Loads a script into ZAP from the given local file, with the given name, type and engine, optionally with a description, and a charset name to read the script (the charset name is required if the script is not in UTF-8, for example, in ISO-8859-1). Removes the script with the given name Runs the stand alone script with the give name Statistics Gets all of the site based statistics, optionally filtered by a key prefix Gets all of the global statistics, optionally filtered by a key prefix Gets the Statsd service hostname Gets the Statsd service port Gets the prefix to be applied to all stats sent to the configured Statsd service Returns 'true' if in memory statistics are enabled, otherwise returns 'false' Returns 'true' if a Statsd server has been correctly configured, otherwise returns 'false' Clears all of the statistics Sets the Statsd service hostname, supply an empty string to stop using a Statsd service Sets the prefix to be applied to all stats sent to the configured Statsd service Sets whether in memory statistics are enabled Sets the Statsd service port * Starred parameters are mandatory. 28
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.5 Linearized : No Page Count : 29 Language : en-GB Tagged PDF : Yes Title : ZAP API Guide Author : Anita Diamond Creator : Microsoft® Word 2010 Create Date : 2018:03:25 22:13:59+01:00 Modify Date : 2018:03:25 22:13:59+01:00 Producer : Microsoft® Word 2010EXIF Metadata provided by EXIF.tools