Scanning of POST requests

[lmtc668800]

Hello!

I'm trying use zap-cli to scan our application and I succeed to do it on URL which using GET method. However, I met a problem on scanning POST request, since the parameters were not included in the URL, and what I want to check is whether there is any security in those parameters. (In GUI the parameters are also recorded in the tree so that active-scan works)

May I know whether there is anyway to deal with POST requests?

[gnirlos]

Any update? How does one send POST commands from zap-cli?

[hahwul]

It's possible in an expedient way, so I'll share it 😊

1) Boot ZAP 2) Call this API for change attack mode

/JSON/core/action/setMode/?mode=attack

3) Include POST URL in sitetree 4) run quick-scan! now, when quick-scan is performed, the result of POST has already been scanned in attack mode and the result appears together.