ZAP API Connection Problem

[wwed jiu]

Hi All Member for ZAP & Developer,

I encountered some problems when using Python combined with API ZAP. According to the picture, the source code I used for Spider scanning ran normally without any problems(SpiderScan.jpg). But after I use the python request or json part, an API Error will be displayed (PythonErrorMessage.jpg) for my code I use this for demo (ErrorPart.jpg) and after the error check log file showing(zap log message.jpg). I would like to ask if any other members have encountered similar situations? How to deal with it?

SpiderScan.jpg

PythonErrorMessage.jpg

ErrorPart.jpg

zap log message.jpg

Please help me solve this issues.

Regards,

Henley.

[psiinon]

Hi Henley,

"API key incorrct or not supplied" - did you see this?

Looks like you are not specifying the API key :)

The ZAP API handles that for you because you've told it what the key is.

If you are not going to use the ZAP API then you can specify the key via the "X-ZAP-API-Key" header.

I've had a look and I cant see that documented anywhere particularly obvious .. we'll fix that ..

Cheers,

Simon

[wwed jiu]

Hello Simon, I actually provide the API Key in the code, but I didn’t show it in the above photo.

In addition, I found that the method of using the python library can never be successfully allowed. As long as the request and json methods are used, this problem will occur. For example, the following is the code display of my project combined with ZAP API Key. The same error message appears when authentication is allowed.

Regrads,

Henley.

[psiinon]

It looks like you've specified a header of "apikey" - it shoud be "X-ZAP-API-Key" :)

--
You received this message because you are subscribed to the Google Groups "ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/3977755b-b3c9-41a8-ae86-8755e529d3d1n%40googlegroups.com.

--

ZAP Project leader

[wwed jiu]

Hello Simon,

According to your suggestion, is there any relevant information that you can refer to for the "X-ZAP-API-Key" you mentioned?

In addition, I would like to ask, if I use ZAP API for Spider Scanning and passion Scanning by API, can I customize the result? Is there any documentation on these issues?

thanks for your help.

Regards,
Henley.

[psiinon]

Just the code :)

https://github.com/zaproxy/zaproxy/blob/main/zap/src/main/java/org/zaproxy/zap/extension/api/API.java#L1107

As I mentioned - it doesnt look like we currently document this, we'll look at fixing this.

What do you mean by "customize the result"?

Cheers,

Simon

[wwed jiu]

Hello Simon,
OK Thanks for the information.

Regarding "customization", it is the results (examplePrintResult.jpg) I get after a successful spider scan or active scan. Can I get some part of the data in the result and store it in my own database? For example, the data displayed in result.jpg is obtained from (URL/Size Resp. Header/Highest Alert Tags) and then stored in my database. Because currently I can only get the URL using python program for scanning.

examplePrintResult.jpg

result.jpg

 Thanks again for your help.

Regards,
Henley.

[psiinon]

You can use the https://www.zaproxy.org/docs/api/#spiderviewfullresults endpoint to get more info.

The urlsInScope section will include a messageId which can be used in https://www.zaproxy.org/docs/api/#coreviewmessage to get the full message details.

Cheers,

Simon

[wwed jiu]

Thank you for your very helpful help, thank you again.

Regards,
Henley.