I wanted to quickly check APIs for security testing using ZAP Scanner. I tried a couple of ways but was not happy considering the time it took to setup and configure. Since the API collection is in the Postman collection, I thought of using Postman and ZAP Scanner together, it worked!
So to get started we need to configure OWASP ZAP Scanner to point to Proxy: ZAP Scanner > Tools > Options > Local Proxies > Address: 127.0.0.1, Port: 8080.
Same setting needs to configured in Postman: Settings > Proxy > “Uncheck” Use the system proxy + “Check” Add a custom Proxy configuration, Proxy Server: 127.0.0.1, Port:8080. Close the Settings.
Make sure SSL Cert setting under General set to “Off”.
All Set! now you just need to hit the API request and it will appear in ZAP Scanner. Once you have the request captured in ZAP, you can perform an Active Scan. Hope this helps!
