Menu
I'm curious as to how ZAP can be used to test RESTAPIs in the context of API security. Is it just the OpenAPI add on that can be used or are there other(more effective) methods?
212
asked Jan 17 '26 08:01
Theres a ZAP FAQ for that :) https://www.zaproxy.org/faq/how-can-you-use-zap-to-scan-apis/ :
ZAP understands API formats like JSON and XML and so can be used to scan APIs.
The problem is usually how to effectively explore the APIs.
There are various options:
The add-ons are available from the ZAP Marketplace.
Once ZAP knows about the URL endpoints it can scan them in the same way as it scans HTML based web sites.
If you don't have any of these things then post to the ZAP User Group explaining what you are trying to do and the problems you are having.
For more details see the blog post Scanning APIs with ZAP.
179
Also the good idea is using Fuzzer from OwaspZap.
Fuzzing allows you to trigger an unexpected behavour from API server by submitting malformed requests, malformed parameters and guessing unpublished API methods.
You can read what is fuzzing here:https://owasp.org/www-community/Fuzzing
It will allow you to fuzz URL string or a single parameter.
To start fuzzer you will need to:
I would recommend to choose "file fuzzers" options at step 3 and choose one of the pre-defined wordlists, or export your own one. You can use Seclists to find a bunch of fuzzing wordlists. Here is the set of wordlists designed for API fuzzing https://github.com/danielmiessler/SecLists/tree/master/Discovery/Web-Content/api
Furthermore, OwaspZap allows you to perform manual API testing if you know the methodology. Here you can find some links related to REST security:
https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html https://cheatsheetseries.owasp.org/cheatsheets/REST_Assessment_Cheat_Sheet.html
41
answered Jan 20 '26 00:01
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
