I'd like to use ZAP in headless mode to scan a given set of URLs. Here is what I did:
- I started ZAP UI
- configured it as a HTTP_PROXY for a browser
- navigated my website (including GET/POS/PUT actions during the journey)
- created a context and added the relevant urls
- performed an active scan on the context
In this scenario every thing was fine: the active scan performed several GET/POST/PUT attacks as intended.
Then in order to prepare for setup in the CI and simulate the behavior there I
- exported the context and it's urls
- cleared the context/urls/history
- imported the context and urls (via rest-api)
- performed an active scan against the imported context
As a result I only see GET-Attacks against the URLs.
I could certainly set up a CI-Pipeline with some kind of browser based ui tests using ZAP as a proxy (as I did manually before performing active scan), but this I'd like to avoid.
So what is the way to tweack ZAP to perform POST attacks on imported URLs?
Edit: the POST/PUT-Parameters are send in the Request-Body or as part of the URL following the REST-Style (e.g. method/param-1-key/param-1-value
) etc.