How to change API request Order(based on HTTP Method/API Endpoint) from the ZAP Tree
38 views
Skip to first unread message
mats...@gmail.com
Dec 29, 2025, 10:41:22 AM12/29/25
to ZAP User Group
Hi Simon,
Is there any way where I can change and send the request Order of the API Request from the ZAP Tree either imported via Spec or Learned via Browser Proxy. Below is the order in which I have the endpoint with different HTTP Method is loaded in the ZAP Tree
I want the request should get send in these order GET -> POST -> PUT with respect to HTTP Method, but based on the Tree now it is getting send as PUT -> POST -> GET. Any ways we can change the order based on HTTP Method in the ZAP Tree.
I also want to send API request based on different Endpoints. Any way we can change the order of sending API Request based on API Endpoints in the ZAP Tree.
Thanks
Srikanth
thc202
Dec 29, 2025, 10:43:58 AM12/29/25
to zaprox...@googlegroups.com
Hi,
The Sequence Scanner add-on is meant for that:
https://www.zaproxy.org/docs/desktop/addons/sequence-scanner/
Best regards.
The Sequence Scanner add-on is meant for that:
https://www.zaproxy.org/docs/desktop/addons/sequence-scanner/
Best regards.
mats...@gmail.com
Dec 30, 2025, 2:52:27 AM12/30/25
to ZAP User Group
I tried following as part of referring to the above link:
a) Simulated a Flow(GET, POST, PUT and DELETE) and Captured the HAR file from the browser with Cookie
b) Using
Import HAR as Sequence Option in UI imported the HAR file which worked fine.
c) Ran the imported Flow(GET, POST, PUT and DELETE) again via ZAP, ZAP sends the requests but with empty Cookie(Cookie values set to None) as opposed to what is captured in HAR resulting in 401 UnAuthorized Error.
Any reason why ZAP is not sending the cookie details properly, if that is expected do we have any workaround to fix this.
Thanks
Srikanth
thc202
Jan 5, 2026, 3:02:24 AMJan 5
to zaprox...@googlegroups.com
Options > Scripts > Engine > Zest, there uncheck the Cookie header.
That's done by default because you usually would do an authenticated
scan (which would add the necessary session tokens/headers).
Best regards.
That's done by default because you usually would do an authenticated
scan (which would add the necessary session tokens/headers).
Best regards.
mats...@gmail.com
Jan 5, 2026, 8:15:48 AMJan 5
to ZAP User Group
This change of options also did not work. It sends below values for cookie always which is resulting in Authentication Failure:
Cookie: avi-sessionid=None; sessionid=None; accesstoken=None; refreshtoken=None
Thanks
Srikanth
thc202
Jan 5, 2026, 8:46:32 AMJan 5
to zaprox...@googlegroups.com
ZAP will not add/set None unless the server set that in a response, did
you verify the session is still valid for those cookies?
Best regards.
you verify the session is still valid for those cookies?
Best regards.
mats...@gmail.com
Jan 6, 2026, 9:16:12 AMJan 6
to ZAP User Group
Hi,
Based on your above comments I understand that I should also need to capture login API along with CRUD APIs which I did now, it is again resulting in 401 UnAuthorized because we have to send X-Csrftoken Header with CSRF Token value what we receive from Server in Cookie which is fetched from HAR and it has old value resulting in Unauthorization. How to get CSRF Token coming from Server and replace the X-Csrftoken Header in the HAR file with that incoming value.
Thanks
Srikanth
Simon Bennetts
Jan 7, 2026, 10:36:10 AMJan 7
to ZAP User Group
You will need to actually try things out and see what works.
Once you undersatand exactly what you need to do then you can use ZAP scripting to make it happen.
If you dont know how to do that then explain exactly what you need to do and we can help.
Cheers,
Simon
mats...@gmail.com
Jan 7, 2026, 8:03:58 PMJan 7
to ZAP User Group
Hi Simon,
Below is my requirement:
a) From the openapi Spec I wanted to do CRUD Operation like POST, PUT, PATCH, GET,DELETE on multiple API Endpoint using ZAP with Correct Payload
b) Run a) with Bad Payload(Attacks, Incorrect Keys etc)
To achieve this I tried following:
a) Imported API Spec which imported all the above CRUD operations with payload in different order like PUT -> DELETE -> PATCH -> POST -> GET
b) I change all the operation with correct payload and ran
c) Since order was incorrect CRUD operations were failing. Ideally the CRUD Operation order should be POST -> PUT -> PATCH -> GET -> DELETE make the crud
d) I realized from above thread we cannot change the order of Operation in ZAP via UI directly, other option recommended was to capture all the CRUD operation via HAR file from Browser.
e) I created the HAR file with all the operation in sequence with Cookies and Login Captured and imported in ZAP
f) I imported the HAR file and replayed, it resulted in Authorization Failure because for every operation we do, we wanted cookie to be sent what is received from Server and along with we add another header X-Csrftoken this needs to be filled with csrftoken what we obtain in Cookie, which ZAP is failing to honor that is expected but how to make ZAP add the value to X-Csrftoken header and send in POST/PUT/PATCH Request
My Question is how to achieve point f) during ZAP CRUD operation replay of HAR file.
Thanks
Srikanth
Reply all
Reply to author
Forward
0 new messages