> For the complete documentation index, see [llms.txt](https://sec88.0x88.online/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sec88.0x88.online/api-sec/scanning-apis-with-owasp-zap.md).

# Scanning APIs with OWASP ZAP

### Importing API Specification in OWASP ZAP

1. Open OWASP ZAP and select the "Import" option.

   ![Import API Specification](https://kajabi-storefronts-production.kajabi-cdn.com/kajabi-storefronts-production/site/2147573912/products/3QhpAQLTQqG1Sb8MPTft_ScanningAPIs1.PNG)
2. Choose the relevant API specification file (e.g., specs.yml) for crAPI and provide the target URL (<http://crapi.apisec.ai> or <http://127.0.0.1:8888>).

   ![Specify File and URL](https://kajabi-storefronts-production.kajabi-cdn.com/kajabi-storefronts-production/site/2147573912/products/oEsdxfxQGiPyRW2Nxobg_ScanningAPIs2.PNG)
3. After adding the file path and target URL, select "Import." The Sites window will now display the target's endpoints and API requests.

   ![Sites Window](https://kajabi-storefronts-production.kajabi-cdn.com/kajabi-storefronts-production/site/2147573912/products/2APuCeXwS6S6Npz32QhO_ScanningAPIs3.PNG)
4. Right-click on the root (e.g., <http://crapi.apisec.ai>) and choose to perform an active scan. Results will be available under the Alerts tab.

   ![Perform Active Scan](https://kajabi-storefronts-production.kajabi-cdn.com/kajabi-storefronts-production/site/2147573912/products/tXyxubIySxasnFlUXUtw_ScanningAPIs5.PNG)

### Authenticated Scanning with Manual Explore

1. Improve scan results by performing authenticated scanning using the Manual Explore option.

   ![Manual Explore](https://kajabi-storefronts-production.kajabi-cdn.com/kajabi-storefronts-production/site/2147573912/products/FMTNLZyOSGKGoPJABPJ4_ScanningAPIs7.PNG)
2. Set the URL to the target, enable the HUD, and choose "Launch Browser."

   ![Launch Browser](https://kajabi-storefronts-production.kajabi-cdn.com/kajabi-storefronts-production/site/2147573912/products/Ac8Y0rHqSqile9WdaoWu_ScanningAPIs8.PNG)
3. The HUD will launch in a browser. Select "Continue to your target" and use the web application as an end-user.

   ![HUD Browser](https://kajabi-storefronts-production.kajabi-cdn.com/kajabi-storefronts-production/site/2147573912/products/967oh1osRLeGnyntOPWb_ScanningAPIs9.PNG)
4. Perform actions such as signing up, signing in, and using various features. Use the HUD to perform actions and add the target to the scope.

   ![Add to Scope](https://kajabi-storefronts-production.kajabi-cdn.com/kajabi-storefronts-production/site/2147573912/products/WkGjSKhARZKFnh8sCMho_ScanningAPIs11.PNG)
5. On the right side of the HUD, set Attack Mode to On. This initiates scanning and authenticated testing of the target.

   ![Attack Mode On](https://kajabi-storefronts-production.kajabi-cdn.com/kajabi-storefronts-production/site/2147573912/products/xZQvLSUcSQue7u0Gzmew_ScanningAPIs12.PNG)
6. The scan may take a while depending on the web application's scale. Review the results under the Alerts tab.

   ![Scan Results](https://kajabi-storefronts-production.kajabi-cdn.com/kajabi-storefronts-production/site/2147573912/products/xZQvLSUcSQue7u0Gzmew_ScanningAPIs12.PNG)
7. Investigate the findings and differentiate between actual vulnerabilities and false positives. Note that crAPI exhibits vulnerabilities from the OWASP API Security Top 10, including Security Misconfigurations and Injection..


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://sec88.0x88.online/api-sec/scanning-apis-with-owasp-zap.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.