How to capture request and response in the report

[Naveen Rudrappa]

Hi Team,

I am triggering zap scan using the command as mentioned below. The report generated does not have complete request and response. How to get them added as part of the report?

docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-weekly zap-api-scan.py -t <target_file> -f openapi -z "-configfile /zap/wrk/options.prop" -r report.html I

 I am looking for a request and response similar to the one mentioned below, 

 ---------------------------------ZAP Request Init=6
POST http://192.168.1.2:8888/identity/api/auth/signup HTTP/1.1
host: 192.168.1.2:8888
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
pragma: no-cache
cache-control: no-cache
accept: application/json
content-type: application/json
content-length: 83


 ---------------------------------ZAP Request Body
{"email":"zap...@example.com","name":"ZAP","number":"6915656974","password":"ZAP"}
 ---------------------------------ZAP Request End
 ---------------------------------ZAP Response Init=6
HTTP/1.1 400
Server: openresty/1.25.3.1
Date: Tue, 03 Jun 2025 07:15:03 GMT
Content-Type: application/json
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: DENY
content-length: 479

Thanks,

Naveen.R

[Simon Bennetts]

Use the Automation Framework instead, that is much more flexible.

This plan is equivalent to the packaged API scan: https://github.com/zaproxy/community-scripts/blob/main/other/af-plans/ApiScanExample.yaml

Cheers,

Simon

[Naveen Rudrappa]

Hi Team,

I successfully generated an HTML report containing both the request and response. However, I was unable to generate a JSON report. Kindly review the attached YAML file and advise on the necessary changes to enable JSON report generation.

--
ZAP by Checkmarx: https://www.zaproxy.org/
---
You received this message because you are subscribed to the Google Groups "ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/zaproxy-users/67c9b69c-aa26-463d-848e-7fca0ef1d901n%40googlegroups.com.

[Simon Bennetts]

Do you mean that it failed to generate any report, or just that it did not include the requests and responses?

The JSON report with the requests and response in is "traditional-json-plus".

The default reports included are all detailed on https://www.zaproxy.org/docs/desktop/addons/report-generation/templates/

Cheers,

Simon

[James L]

Be careful, file sizes start getting quite large if you save every request and response. I think you can make a custom template to change request response behavior so that it only includes say , high and above.