How to Perform all XSS Attacks on POST Body of Multiple Given API end points using ZAP
35 views
Skip to first unread message
mats...@gmail.com
Dec 14, 2025, 12:24:30 AM12/14/25
to ZAP User Group
Hi Simon,
How to Perform all Possible XSS(non stored and stored) Attacks on POST Body of Multiple Given API end points using ZAP.
How to Perform all Possible XSS(non stored and stored) Attacks on POST Body of Multiple Given API end points using ZAP.
Basically I have many API endpoints(one such API endpoint is as shown below), I want to perform XSS attacks(if ZAP has any known DB it would be good) only on all the body params(key and value) after doing authentication, How this can be done efficiently.
POST /api/test?inc_bac HTTP/1.1
Host: 1.1.1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br, zstd
X-Test-UserAgent: Abc
X-Test-Version: 2.2.2
X-Test-Tenant: abc123
Content-Type: application/json;charset=utf-8
X-CSRFToken: <masked>
Content-Length: xx
Sec-GPC: 1
Connection: keep-alive
Cookie: <masked>
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
TE: trailers
{"dos_rl_profile":{"rl_profile":{}},"preserve_client_ip":false,"preserve_dest_ip_port":false,"l4_ssl_profile":{"ssl_stream_idle_timeout":3600},"diameter_service_profile":{"host_ip_addr_rewrite":false,"req_timeout"
:60,"max_outstanding_req":4096},"type":"APPLICATION_PROFILE_TYPE_HTTP","name":"FUZZ","http_profile":{"connection_multiplexing_enabled":true,"xff_enabled":true,"xff_alternate_name":"X-Forwarded-For","hsts_enabled":
false,"secure_cookie_enabled":false,"httponly_enabled":false,"http_to_https":false,"server_side_redirect_to_https":false,"x_forwarded_proto_enabled":false,"post_accept_timeout":30000,"client_header_timeout":10000,
"client_body_timeout":30000,"keepalive_timeout":30000,"client_max_header_size":12,"client_max_request_size":48,"client_max_body_size":0,"max_rps_unknown_uri":0,"max_rps_cip":0,"max_rps_uri":0,"max_rps_cip_uri":0,"
ssl_client_certificate_action":{"close_connection":false},"ssl_client_certificate_mode":"SSL_CLIENT_CERTIFICATE_NONE","websockets_enabled":true,"max_rps_unknown_cip":0,"max_bad_rps_cip":0,"max_bad_rps_uri":0,"max_
bad_rps_cip_uri":0,"keepalive_header":false,"use_app_keepalive_timeout":false,"allow_dots_in_header_name":false,"disable_keepalive_posts_msie6":true,"enable_request_body_buffering":false,"enable_fire_and_forget":f
alse,"max_response_headers_size":48,"respond_with_100_continue":true,"hsts_subdomains_enabled":true,"enable_request_body_metrics":false,"fwd_close_hdr_for_bound_connections":true,"max_keepalive_requests":100,"disa
ble_sni_hostname_check":false,"reset_conn_http_on_ssl_port":false,"http_upstream_buffer_size":0,"enable_chunk_merge":true,"http2_profile":{"max_http2_control_frames_per_connection":1000,"max_http2_queued_frames_to
_client_per_connection":1000,"max_http2_empty_data_frames_per_connection":1000,"max_http2_concurrent_streams_per_connection":128,"max_http2_requests_per_connection":1000,"max_http2_header_field_size":4096,"http2_i
nitial_window_size":64,"enable_http2_server_push":false,"max_http2_concurrent_pushes_per_connection":10},"detect_ntlm_app":true,"use_true_client_ip":false,"pass_through_x_accel_headers":false,"collect_client_tls_f
ingerprint":false,"max_header_count":256,"xff_update":"REPLACE_XFF_HEADERS","session_config":{"session_cookie_name":"albsessid","session_cookie_samesite":"SAMESITE_LAX","session_cookie_secure":true,"session_cookie
_httponly":true,"session_establishment_timeout":300,"session_idle_timeout":1800,"session_maximum_timeout":28800},"close_server_side_connection_on_error":false}}
Host: 1.1.1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br, zstd
X-Test-UserAgent: Abc
X-Test-Version: 2.2.2
X-Test-Tenant: abc123
Content-Type: application/json;charset=utf-8
X-CSRFToken: <masked>
Content-Length: xx
Sec-GPC: 1
Connection: keep-alive
Cookie: <masked>
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
TE: trailers
{"dos_rl_profile":{"rl_profile":{}},"preserve_client_ip":false,"preserve_dest_ip_port":false,"l4_ssl_profile":{"ssl_stream_idle_timeout":3600},"diameter_service_profile":{"host_ip_addr_rewrite":false,"req_timeout"
:60,"max_outstanding_req":4096},"type":"APPLICATION_PROFILE_TYPE_HTTP","name":"FUZZ","http_profile":{"connection_multiplexing_enabled":true,"xff_enabled":true,"xff_alternate_name":"X-Forwarded-For","hsts_enabled":
false,"secure_cookie_enabled":false,"httponly_enabled":false,"http_to_https":false,"server_side_redirect_to_https":false,"x_forwarded_proto_enabled":false,"post_accept_timeout":30000,"client_header_timeout":10000,
"client_body_timeout":30000,"keepalive_timeout":30000,"client_max_header_size":12,"client_max_request_size":48,"client_max_body_size":0,"max_rps_unknown_uri":0,"max_rps_cip":0,"max_rps_uri":0,"max_rps_cip_uri":0,"
ssl_client_certificate_action":{"close_connection":false},"ssl_client_certificate_mode":"SSL_CLIENT_CERTIFICATE_NONE","websockets_enabled":true,"max_rps_unknown_cip":0,"max_bad_rps_cip":0,"max_bad_rps_uri":0,"max_
bad_rps_cip_uri":0,"keepalive_header":false,"use_app_keepalive_timeout":false,"allow_dots_in_header_name":false,"disable_keepalive_posts_msie6":true,"enable_request_body_buffering":false,"enable_fire_and_forget":f
alse,"max_response_headers_size":48,"respond_with_100_continue":true,"hsts_subdomains_enabled":true,"enable_request_body_metrics":false,"fwd_close_hdr_for_bound_connections":true,"max_keepalive_requests":100,"disa
ble_sni_hostname_check":false,"reset_conn_http_on_ssl_port":false,"http_upstream_buffer_size":0,"enable_chunk_merge":true,"http2_profile":{"max_http2_control_frames_per_connection":1000,"max_http2_queued_frames_to
_client_per_connection":1000,"max_http2_empty_data_frames_per_connection":1000,"max_http2_concurrent_streams_per_connection":128,"max_http2_requests_per_connection":1000,"max_http2_header_field_size":4096,"http2_i
nitial_window_size":64,"enable_http2_server_push":false,"max_http2_concurrent_pushes_per_connection":10},"detect_ntlm_app":true,"use_true_client_ip":false,"pass_through_x_accel_headers":false,"collect_client_tls_f
ingerprint":false,"max_header_count":256,"xff_update":"REPLACE_XFF_HEADERS","session_config":{"session_cookie_name":"albsessid","session_cookie_samesite":"SAMESITE_LAX","session_cookie_secure":true,"session_cookie
_httponly":true,"session_establishment_timeout":300,"session_idle_timeout":1800,"session_maximum_timeout":28800},"close_server_side_connection_on_error":false}}
Thanks
Srikanth
Simon Bennetts
Dec 17, 2025, 6:25:47 AM12/17/25
to ZAP User Group
Hi Srikanth,
First of all ZAP needs to know about the API endpoints, we call that exploring the app.
We have lots of options for exploring apps, see https://www.zaproxy.org/docs/getting-further/automation/exploring-your-app/
Once ZAP knows about the end points then you'll need to run the active scanner.
Again ZAP has lots of options here, so you can just enable the relevant XSS rules to speed the scan up.
In the request you share the contenttype is correct, so ZAP will attack all of the values in the request.
Note that by default ZAP will not attack the parameter names - that would typically double the scan time and it usually not effective.
But we do have a script which will enable that: param_name_variant.js
Cheers,
Simon
ar
Dec 17, 2025, 10:31:07 AM12/17/25
to zaprox...@googlegroups.com
test Zaproxy XSS-Reflected Attack
ср, 17 дек. 2025 г. в 14:25, Simon Bennetts <psi...@gmail.com>:
--
ZAP by Checkmarx: https://www.zaproxy.org/
---
You received this message because you are subscribed to the Google Groups "ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/zaproxy-users/1f36eb9e-7637-4da7-b32e-bec678a2e0cbn%40googlegroups.com.
Srikanth R
Dec 18, 2025, 8:45:55 AM12/18/25
to zaprox...@googlegroups.com
Thanks will try out with above suggestion and get back to you.
-Srikanth
To view this discussion visit https://groups.google.com/d/msgid/zaproxy-users/CAEwO%2Bbc%3DrXm8kA%3DdyUKC_jAOxWA82J8gcuEXWzke9x7cmm4DqQ%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages