How to OWASP ZAP scan external REST API using OAuth2

For Finding vulnerabilities in the API only application(does not have a web app and you have access to only its REST API), you can configure proxies in the Postman and execute OAuth and other REST api invocations and network requests goes through same proxy that ZAP is configured to intercept.

If You have web app you can configure your browser as proxy so that any URL you browse through goes through a proxy server which ZAP can intercept.


Generate a root certificate in zap to import into the browser/Postman(if you are testing an api). Go to Tools > Options > Dynamic SSL Certificates and save this locally.

enter image description here

Import the certificate to the browser/Postman(I suggest you use another browser solely for this than one you currently use for general purpose. Makes it easier that you do not mess with your current config. I usually prefer Mozilla for this as i use chrome for general purpose)

For firefox go to about:preferences url and select Privacy and Security and choose certificates

Go to Authorities to import the certificate you have saved in step 1

enter image description here

If you are testing for api only and does not have a web app and you use Postman to make a request , save your certificate in Postman using preferences tab as shown below

enter image description here

  • Configure your browser proxy url as shown below. You can go to Network Settings in your browser to do this using about:preferences.

enter image description here

  • Configure the Local Proxy in ZAP tool using Tools > Options > Local Proxy

enter image description here

Now any URL you browse will be recorded with complete hierarchy. This appears under the Sites as shown here

enter image description here

If your app is an API only then configure proxy in Postman.

Use postman to make request and it will record the URL for the attack. For OAuth 2.0 go through the Authentication using the Postman configuration.

One important thing to verify here is to make sure Postman uses a same proxy as that of the zap tool.

You can configure in preferences as explained in below article

enter image description here

If you further need to customize one can use authentication scripts in ZAP (You generally do not need this until you have a complex authentication or want to test with specific headers) and ZAP has community scripts that covers some sample use cases and scripts here

Finally to scan or Spider attack the URL all you need to do is right click and execute the Attack as shown in below image

enter image description here

Use the reports tab to generate the ZAP Report that you can submit to Sec review team.

enter image description here

Additional Resources

ZAP configuration tutorial from salesforce security help is here and steps to configure documented is here

Note that ZAP is free and flexible and to customize you can read the docs

Also ZAP has video tutorials here