Unable to scan POST api through ZAP

Dhirendra Pratap Singh

unread,

Jul 26, 2022, 10:52:53 PM7/26/22

to OWASP ZAP Developer Group

Hello,

I am unable to perform ZAP scan for my POST api url. Can anyone help me regarding this.?

I need it to generate ZAP scan report and submit it to salesforce for security review.

I am doing following steps-

1. Install ZAP

2.Installing Certificate

(refer cert.png)

Import generated certificate on certmgr.msc.

3. Configuring Proxy

(refer Local_Proxy_in_ZAP.jpg and Prox_in_LANSettings.jpg)

After that I am able to see target urls in ZAP sites

(refer sites.jpg) but unable to hit post api call through postman after doing configuring proxy step(refer postapierrorinpostman.jpg).

postapierrorinpostman.jpg

Prox_in_LANSettings.jpg

cert.png

sites.jpg

Local_Proxy_in_ZAP.jpg

kingthorin+owaspzap

unread,

Jul 27, 2022, 4:47:29 PM7/27/22

to OWASP ZAP Developer Group

Do you have any Scripts enabled or Replacer rules?

Dhirendra Pratap Singh

unread,

Jul 27, 2022, 11:36:41 PM7/27/22

to OWASP ZAP Developer Group

Hello, I am new to ZAP, I haven't enabled scripts or using any Replacer Rules. I need ZAP scanner report for my REST api to submit salesforce security Review. Can you help me where I am going wrong or which steps should I take to generate report for my POST api. Any thoughts you have will be greatly appreciated.

psiinon

unread,

Jul 28, 2022, 3:21:11 AM7/28/22

to OWASP ZAP Developer Group

ZAP does not change POSTs into GETs by default, so right now we do not know whats going wrong or how to fix it.

What happens if you send the same post request to your app using curl, proxied through ZAP?