During the test, I found that POST-based scanning(active-scan / quick-scan) was not working in zap-cli 😱 This problem is zap-cli issue, and it has already been reported as an issue below.

https://github.com/Grunny/zap-cli/issues/73

So while testing this, finally I find a way to solve it and share it. This is a trick using ZAP’s Attack mode. When Attack mode is activated, active-scan basically operates for targets corresponding to scope through Context.

Now result is accumulated in the ZAP, and if only the GET is scanned through the zap-cli, the result of the POST may be added.

TL;DR

1. Start ZAP
2. Change mode to attack mode with ZAP API
   • /JSON/core/action/setMode/?mode=attack
3. Add scope target URL
4. Include POST URL in sitetree (At this point, the scan already starts.)
5. Waiting Attack Mode Queue and Run quick-scan or active-scan

Step by Step

Starting ZAP

Prepare a ZAP! Open ZAP GUI or zap.sh, zap-cli

1

zap-cli start

Call this API for change attack mode

Can’t change the mode directly in zap-cli. So call the ZAP API for change attack mode.

1
2
3
4

{ZAP-API-HOST}/JSON/core/action/setMode/?mode=attack

// refer: http://localhost:8090/UI/core/action/setMode/
// API: http://localhost:8090/JSON/core/action/setMode/?mode=attack

Add scope target URL (using context)

1
2

zap-cli context new NAME
zap-cli context include -n NAME -p your_target_url.*

Include POST URL in sitetree

1

curl -i -k http://your_target_url -X POST -d "blah=1234" --proxy http://your_zap_api_port

Run quick-scan or active-scan. (and waiting attack mode)

when scan is completed, the result of POST has already been scanned in attack mode and the result appears together.

And if the attack mode scan ends faster than quick-scan/active-scan, the results may not come out properly. In this case, you can check the status of the scan of attack mode through the attack mode queue API 😎

1

{ZAP-API-HOST}/JSON/ascan/view/attackModeQueue

References

• https://github.com/Grunny/zap-cli/issues/73#issuecomment-966832964