OWASP ZAP · Capability

ZAP API

The HTTP API for controlling and accessing ZAP.

Run with Naftiko OwaspZapAPI

What You Can Do

GET
Accesscontrolactionscan — Starts an Access Control scan with the given context ID and user ID. (Optional parameters: user ID for Unauthenticated user, boolean identifying whether or not Alerts are raised, and the Risk level for the Alerts.) [This assumes the Access
/JSON/accessControl/action/scan/
GET
Accesscontrolactionwritehtmlreport — Generates an Access Control report for the given context ID and saves it based on the provided filename (path).
/JSON/accessControl/action/writeHTMLreport/
GET
Accesscontrolviewgetscanprogress — Gets the Access Control scan progress (percentage integer) for the given context ID.
/JSON/accessControl/view/getScanProgress/
GET
Accesscontrolviewgetscanstatus — Gets the Access Control scan status (description string) for the given context ID.
/JSON/accessControl/view/getScanStatus/
GET
Acsrfactionaddoptiontoken — Adds an anti-CSRF token with the given name, enabled by default
/JSON/acsrf/action/addOptionToken/
GET
Acsrfactionremoveoptiontoken — Removes the anti-CSRF token with the given name
/JSON/acsrf/action/removeOptionToken/
GET
Acsrfactionsetoptionpartialmatchingenabled — Define if ZAP should detect CSRF tokens by searching for partial matches.
/JSON/acsrf/action/setOptionPartialMatchingEnabled/
GET
Acsrfothergenform — Generate a form for testing lack of anti-CSRF tokens - typically invoked via ZAP
/OTHER/acsrf/other/genForm/
GET
Acsrfviewoptionpartialmatchingenabled — Define if ZAP should detect CSRF tokens by searching for partial matches
/JSON/acsrf/view/optionPartialMatchingEnabled/
GET
Acsrfviewoptiontokensnames — Lists the names of all anti-CSRF tokens
/JSON/acsrf/view/optionTokensNames/
GET
Ajaxspideractionaddallowedresource — Adds an allowed resource.
/JSON/ajaxSpider/action/addAllowedResource/
GET
Ajaxspideractionaddexcludedelement — Adds an excluded element to a context.
/JSON/ajaxSpider/action/addExcludedElement/
GET
Ajaxspideractionmodifyexcludedelement — Modifies an excluded element of a context.
/JSON/ajaxSpider/action/modifyExcludedElement/
GET
Ajaxspideractionremoveallowedresource — Removes an allowed resource.
/JSON/ajaxSpider/action/removeAllowedResource/
GET
Ajaxspideractionremoveexcludedelement — Removes an excluded element from a context.
/JSON/ajaxSpider/action/removeExcludedElement/
GET
Ajaxspideractionscan — Runs the AJAX Spider against a given target.
/JSON/ajaxSpider/action/scan/
GET
Ajaxspideractionscanasuser — Runs the AJAX Spider from the perspective of a User of the web application.
/JSON/ajaxSpider/action/scanAsUser/
GET
Ajaxspideractionsetenabledallowedresource — Sets whether or not an allowed resource is enabled.
/JSON/ajaxSpider/action/setEnabledAllowedResource/
GET
Ajaxspideractionsetoptionbrowserid — Sets the configuration of the AJAX Spider to use one of the supported browsers.
/JSON/ajaxSpider/action/setOptionBrowserId/
GET
Ajaxspideractionsetoptionclickdefaultelems — Sets whether or not the AJAX Spider will only click on the default HTML elements.
/JSON/ajaxSpider/action/setOptionClickDefaultElems/
GET
Ajaxspideractionsetoptionclickelemsonce — When enabled, the crawler attempts to interact with each element (e.g., by clicking) only once.
/JSON/ajaxSpider/action/setOptionClickElemsOnce/
GET
Ajaxspideractionsetoptionenableextensions — GET /JSON/ajaxSpider/action/setOptionEnableExtensions/
/JSON/ajaxSpider/action/setOptionEnableExtensions/
GET
Ajaxspideractionsetoptioneventwait — Sets the time to wait after an event (in milliseconds). For example: the wait delay after the cursor hovers over an element, in order for a menu to display, etc.
/JSON/ajaxSpider/action/setOptionEventWait/
GET
Ajaxspideractionsetoptionlogoutavoidance — Sets whether or not the AJAX Spider should avoid clicking logout elements.
/JSON/ajaxSpider/action/setOptionLogoutAvoidance/
GET
Ajaxspideractionsetoptionmaxcrawldepth — Sets the maximum depth that the crawler can reach.
/JSON/ajaxSpider/action/setOptionMaxCrawlDepth/
GET
Ajaxspideractionsetoptionmaxcrawlstates — Sets the maximum number of states that the crawler should crawl.
/JSON/ajaxSpider/action/setOptionMaxCrawlStates/
GET
Ajaxspideractionsetoptionmaxduration — The maximum time that the crawler is allowed to run.
/JSON/ajaxSpider/action/setOptionMaxDuration/
GET
Ajaxspideractionsetoptionnumberofbrowsers — Sets the number of windows to be used by AJAX Spider.
/JSON/ajaxSpider/action/setOptionNumberOfBrowsers/
GET
Ajaxspideractionsetoptionrandominputs — When enabled, inserts random values into form fields.
/JSON/ajaxSpider/action/setOptionRandomInputs/
GET
Ajaxspideractionsetoptionreloadwait — Sets the time to wait after the page is loaded before interacting with it.
/JSON/ajaxSpider/action/setOptionReloadWait/
GET
Ajaxspideractionsetoptionscopecheck — Sets the scope check.
/JSON/ajaxSpider/action/setOptionScopeCheck/
GET
Ajaxspideractionstop — Stops the AJAX Spider.
/JSON/ajaxSpider/action/stop/
GET
Ajaxspiderviewallowedresources — Gets the allowed resources. The allowed resources are always fetched even if out of scope, allowing to include necessary resources (e.g. scripts) from 3rd-parties.
/JSON/ajaxSpider/view/allowedResources/
GET
Ajaxspiderviewexcludedelements — Gets the excluded elements. The excluded elements are not clicked during crawling, for example, to prevent logging out.
/JSON/ajaxSpider/view/excludedElements/
GET
Ajaxspiderviewfullresults — Gets the full crawled content detected by the AJAX Spider. Returns a set of values based on 'inScope' URLs, 'outOfScope' URLs, and 'errors' encountered during the last/current run of the AJAX Spider.
/JSON/ajaxSpider/view/fullResults/
GET
Ajaxspiderviewnumberofresults — Gets the number of resources found.
/JSON/ajaxSpider/view/numberOfResults/
GET
Ajaxspiderviewoptionbrowserid — Gets the configured browser to use for crawling.
/JSON/ajaxSpider/view/optionBrowserId/
GET
Ajaxspiderviewoptionclickdefaultelems — Gets the configured value for 'Click Default Elements Only', HTML elements such as 'a', 'button', 'input', all associated with some action or links on the page.
/JSON/ajaxSpider/view/optionClickDefaultElems/
GET
Ajaxspiderviewoptionclickelemsonce — Gets the value configured for the AJAX Spider to know if it should click on the elements only once.
/JSON/ajaxSpider/view/optionClickElemsOnce/
GET
Ajaxspiderviewoptionenableextensions — GET /JSON/ajaxSpider/view/optionEnableExtensions/
/JSON/ajaxSpider/view/optionEnableExtensions/
GET
Ajaxspiderviewoptioneventwait — Gets the time to wait after an event (in milliseconds). For example: the wait delay after the cursor hovers over an element, in order for a menu to display, etc.
/JSON/ajaxSpider/view/optionEventWait/
GET
Ajaxspiderviewoptionlogoutavoidance — Gets the value of the Logout Avoidance option.
/JSON/ajaxSpider/view/optionLogoutAvoidance/
GET
Ajaxspiderviewoptionmaxcrawldepth — Gets the configured value for the max crawl depth.
/JSON/ajaxSpider/view/optionMaxCrawlDepth/
GET
Ajaxspiderviewoptionmaxcrawlstates — Gets the configured value for the maximum crawl states allowed.
/JSON/ajaxSpider/view/optionMaxCrawlStates/
GET
Ajaxspiderviewoptionmaxduration — Gets the configured max duration of the crawl, the value is in minutes.
/JSON/ajaxSpider/view/optionMaxDuration/
GET
Ajaxspiderviewoptionnumberofbrowsers — Gets the configured number of browsers to be used.
/JSON/ajaxSpider/view/optionNumberOfBrowsers/
GET
Ajaxspiderviewoptionrandominputs — Gets if the AJAX Spider will use random values in form fields when crawling, if set to true.
/JSON/ajaxSpider/view/optionRandomInputs/
GET
Ajaxspiderviewoptionreloadwait — Gets the configured time to wait after reloading the page, this value is in milliseconds.
/JSON/ajaxSpider/view/optionReloadWait/
GET
Ajaxspiderviewoptionscopecheck — Gets the configured scope check.
/JSON/ajaxSpider/view/optionScopeCheck/
GET
Ajaxspiderviewresults — Gets the current results of the crawler.
/JSON/ajaxSpider/view/results/
GET
Ajaxspiderviewstatus — Gets the current status of the crawler. Actual values are Stopped and Running.
/JSON/ajaxSpider/view/status/
GET
Alertactionaddalert — Add an alert associated with the given message ID, with the provided details. (The ID of the created alert is returned.)
/JSON/alert/action/addAlert/
GET
Alertactiondeletealert — Deletes the alert with the given ID.
/JSON/alert/action/deleteAlert/
GET
Alertactiondeletealerts — Deletes all the alerts optionally filtered by URL which fall within the Context with the provided name, risk, or base URL.
/JSON/alert/action/deleteAlerts/
GET
Alertactiondeleteallalerts — Deletes all alerts of the current session.
/JSON/alert/action/deleteAllAlerts/
GET
Alertactionupdatealert — Update the alert with the given ID, with the provided details.
/JSON/alert/action/updateAlert/
GET
Alertactionupdatealertsconfidence — Update the confidence of the alerts.
/JSON/alert/action/updateAlertsConfidence/
GET
Alertactionupdatealertsrisk — Update the risk of the alerts.
/JSON/alert/action/updateAlertsRisk/
GET
Alertviewalert — Gets the alert with the given ID, the corresponding HTTP message can be obtained with the 'messageId' field and 'message' API method
/JSON/alert/view/alert/
GET
Alertviewalertcountsbyrisk — Gets a count of the alerts, optionally filtered as per alertsPerRisk
/JSON/alert/view/alertCountsByRisk/

MCP Tools

accesscontrolactionscan

Starts an Access Control scan with the given context ID and user ID. (Optional parameters: user ID for Unauthenticated user, boolean identifying whether or not Alerts are raised, and the Risk level for the Alerts.) [This assumes the Access

read-only idempotent
accesscontrolactionwritehtmlreport

Generates an Access Control report for the given context ID and saves it based on the provided filename (path).

read-only idempotent
accesscontrolviewgetscanprogress

Gets the Access Control scan progress (percentage integer) for the given context ID.

read-only idempotent
accesscontrolviewgetscanstatus

Gets the Access Control scan status (description string) for the given context ID.

read-only idempotent
acsrfactionaddoptiontoken

Adds an anti-CSRF token with the given name, enabled by default

read-only idempotent
acsrfactionremoveoptiontoken

Removes the anti-CSRF token with the given name

read-only idempotent
acsrfactionsetoptionpartialmatchingenabled

Define if ZAP should detect CSRF tokens by searching for partial matches.

read-only idempotent
acsrfothergenform

Generate a form for testing lack of anti-CSRF tokens - typically invoked via ZAP

read-only idempotent
acsrfviewoptionpartialmatchingenabled

Define if ZAP should detect CSRF tokens by searching for partial matches

read-only idempotent
acsrfviewoptiontokensnames

Lists the names of all anti-CSRF tokens

read-only idempotent
ajaxspideractionaddallowedresource

Adds an allowed resource.

read-only idempotent
ajaxspideractionaddexcludedelement

Adds an excluded element to a context.

read-only idempotent
ajaxspideractionmodifyexcludedelement

Modifies an excluded element of a context.

read-only idempotent
ajaxspideractionremoveallowedresource

Removes an allowed resource.

read-only idempotent
ajaxspideractionremoveexcludedelement

Removes an excluded element from a context.

read-only idempotent
ajaxspideractionscan

Runs the AJAX Spider against a given target.

read-only idempotent
ajaxspideractionscanasuser

Runs the AJAX Spider from the perspective of a User of the web application.

read-only idempotent
ajaxspideractionsetenabledallowedresource

Sets whether or not an allowed resource is enabled.

read-only idempotent
ajaxspideractionsetoptionbrowserid

Sets the configuration of the AJAX Spider to use one of the supported browsers.

read-only idempotent
ajaxspideractionsetoptionclickdefaultelems

Sets whether or not the AJAX Spider will only click on the default HTML elements.

read-only idempotent
ajaxspideractionsetoptionclickelemsonce

When enabled, the crawler attempts to interact with each element (e.g., by clicking) only once.

read-only idempotent
ajaxspideractionsetoptionenableextensions

GET /JSON/ajaxSpider/action/setOptionEnableExtensions/

read-only idempotent
ajaxspideractionsetoptioneventwait

Sets the time to wait after an event (in milliseconds). For example: the wait delay after the cursor hovers over an element, in order for a menu to display, etc.

read-only idempotent
ajaxspideractionsetoptionlogoutavoidance

Sets whether or not the AJAX Spider should avoid clicking logout elements.

read-only idempotent
ajaxspideractionsetoptionmaxcrawldepth

Sets the maximum depth that the crawler can reach.

read-only idempotent
ajaxspideractionsetoptionmaxcrawlstates

Sets the maximum number of states that the crawler should crawl.

read-only idempotent
ajaxspideractionsetoptionmaxduration

The maximum time that the crawler is allowed to run.

read-only idempotent
ajaxspideractionsetoptionnumberofbrowsers

Sets the number of windows to be used by AJAX Spider.

read-only idempotent
ajaxspideractionsetoptionrandominputs

When enabled, inserts random values into form fields.

read-only idempotent
ajaxspideractionsetoptionreloadwait

Sets the time to wait after the page is loaded before interacting with it.

read-only idempotent
ajaxspideractionsetoptionscopecheck

Sets the scope check.

read-only idempotent
ajaxspideractionstop

Stops the AJAX Spider.

read-only idempotent
ajaxspiderviewallowedresources

Gets the allowed resources. The allowed resources are always fetched even if out of scope, allowing to include necessary resources (e.g. scripts) from 3rd-parties.

read-only idempotent
ajaxspiderviewexcludedelements

Gets the excluded elements. The excluded elements are not clicked during crawling, for example, to prevent logging out.

read-only idempotent
ajaxspiderviewfullresults

Gets the full crawled content detected by the AJAX Spider. Returns a set of values based on 'inScope' URLs, 'outOfScope' URLs, and 'errors' encountered during the last/current run of the AJAX Spider.

read-only idempotent
ajaxspiderviewnumberofresults

Gets the number of resources found.

read-only idempotent
ajaxspiderviewoptionbrowserid

Gets the configured browser to use for crawling.

read-only idempotent
ajaxspiderviewoptionclickdefaultelems

Gets the configured value for 'Click Default Elements Only', HTML elements such as 'a', 'button', 'input', all associated with some action or links on the page.

read-only idempotent
ajaxspiderviewoptionclickelemsonce

Gets the value configured for the AJAX Spider to know if it should click on the elements only once.

read-only idempotent
ajaxspiderviewoptionenableextensions

GET /JSON/ajaxSpider/view/optionEnableExtensions/

read-only idempotent
ajaxspiderviewoptioneventwait

Gets the time to wait after an event (in milliseconds). For example: the wait delay after the cursor hovers over an element, in order for a menu to display, etc.

read-only idempotent
ajaxspiderviewoptionlogoutavoidance

Gets the value of the Logout Avoidance option.

read-only idempotent
ajaxspiderviewoptionmaxcrawldepth

Gets the configured value for the max crawl depth.

read-only idempotent
ajaxspiderviewoptionmaxcrawlstates

Gets the configured value for the maximum crawl states allowed.

read-only idempotent
ajaxspiderviewoptionmaxduration

Gets the configured max duration of the crawl, the value is in minutes.

read-only idempotent
ajaxspiderviewoptionnumberofbrowsers

Gets the configured number of browsers to be used.

read-only idempotent
ajaxspiderviewoptionrandominputs

Gets if the AJAX Spider will use random values in form fields when crawling, if set to true.

read-only idempotent
ajaxspiderviewoptionreloadwait

Gets the configured time to wait after reloading the page, this value is in milliseconds.

read-only idempotent
ajaxspiderviewoptionscopecheck

Gets the configured scope check.

read-only idempotent
ajaxspiderviewresults

Gets the current results of the crawler.

read-only idempotent
ajaxspiderviewstatus

Gets the current status of the crawler. Actual values are Stopped and Running.

read-only idempotent
alertactionaddalert

Add an alert associated with the given message ID, with the provided details. (The ID of the created alert is returned.)

read-only idempotent
alertactiondeletealert

Deletes the alert with the given ID.

read-only idempotent
alertactiondeletealerts

Deletes all the alerts optionally filtered by URL which fall within the Context with the provided name, risk, or base URL.

read-only idempotent
alertactiondeleteallalerts

Deletes all alerts of the current session.

read-only idempotent
alertactionupdatealert

Update the alert with the given ID, with the provided details.

read-only idempotent
alertactionupdatealertsconfidence

Update the confidence of the alerts.

read-only idempotent
alertactionupdatealertsrisk

Update the risk of the alerts.

read-only idempotent
alertviewalert

Gets the alert with the given ID, the corresponding HTTP message can be obtained with the 'messageId' field and 'message' API method

read-only idempotent
alertviewalertcountsbyrisk

Gets a count of the alerts, optionally filtered as per alertsPerRisk

read-only idempotent

Capability Spec

owasp-zap-capability.yaml Raw ↑ 
naftiko: 1.0.0-alpha2
info:
  label: ZAP API
  description: The HTTP API for controlling and accessing ZAP.
  tags:
  - Owasp
  - Zap
  - API
  created: '2026-05-06'
  modified: '2026-05-06'
capability:
  consumes:
  - type: http
    namespace: owasp-zap
    baseUri: http://zap
    description: ZAP API HTTP API.
    authentication:
      type: apikey
      in: header
      name: X-ZAP-API-Key
      value: '{{OWASP_ZAP_TOKEN}}'
    resources:
    - name: json-accesscontrol-action-scan
      path: /JSON/accessControl/action/scan/
      operations:
      - name: accesscontrolactionscan
        method: GET
        description: 'Starts an Access Control scan with the given context ID and user ID. (Optional parameters: user ID for
          Unauthenticated user, boolean identifying whether or not Alerts are raised, and the Risk level for the Alerts.)
          [This assumes the Access '
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-accesscontrol-action-writehtmlreport
      path: /JSON/accessControl/action/writeHTMLreport/
      operations:
      - name: accesscontrolactionwritehtmlreport
        method: GET
        description: Generates an Access Control report for the given context ID and saves it based on the provided filename
          (path).
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-accesscontrol-view-getscanprogress
      path: /JSON/accessControl/view/getScanProgress/
      operations:
      - name: accesscontrolviewgetscanprogress
        method: GET
        description: Gets the Access Control scan progress (percentage integer) for the given context ID.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-accesscontrol-view-getscanstatus
      path: /JSON/accessControl/view/getScanStatus/
      operations:
      - name: accesscontrolviewgetscanstatus
        method: GET
        description: Gets the Access Control scan status (description string) for the given context ID.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-acsrf-action-addoptiontoken
      path: /JSON/acsrf/action/addOptionToken/
      operations:
      - name: acsrfactionaddoptiontoken
        method: GET
        description: Adds an anti-CSRF token with the given name, enabled by default
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-acsrf-action-removeoptiontoken
      path: /JSON/acsrf/action/removeOptionToken/
      operations:
      - name: acsrfactionremoveoptiontoken
        method: GET
        description: Removes the anti-CSRF token with the given name
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-acsrf-action-setoptionpartialmatchingenable
      path: /JSON/acsrf/action/setOptionPartialMatchingEnabled/
      operations:
      - name: acsrfactionsetoptionpartialmatchingenabled
        method: GET
        description: Define if ZAP should detect CSRF tokens by searching for partial matches.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: other-acsrf-other-genform
      path: /OTHER/acsrf/other/genForm/
      operations:
      - name: acsrfothergenform
        method: GET
        description: Generate a form for testing lack of anti-CSRF tokens - typically invoked via ZAP
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-acsrf-view-optionpartialmatchingenabled
      path: /JSON/acsrf/view/optionPartialMatchingEnabled/
      operations:
      - name: acsrfviewoptionpartialmatchingenabled
        method: GET
        description: Define if ZAP should detect CSRF tokens by searching for partial matches
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-acsrf-view-optiontokensnames
      path: /JSON/acsrf/view/optionTokensNames/
      operations:
      - name: acsrfviewoptiontokensnames
        method: GET
        description: Lists the names of all anti-CSRF tokens
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-ajaxspider-action-addallowedresource
      path: /JSON/ajaxSpider/action/addAllowedResource/
      operations:
      - name: ajaxspideractionaddallowedresource
        method: GET
        description: Adds an allowed resource.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-ajaxspider-action-addexcludedelement
      path: /JSON/ajaxSpider/action/addExcludedElement/
      operations:
      - name: ajaxspideractionaddexcludedelement
        method: GET
        description: Adds an excluded element to a context.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-ajaxspider-action-modifyexcludedelement
      path: /JSON/ajaxSpider/action/modifyExcludedElement/
      operations:
      - name: ajaxspideractionmodifyexcludedelement
        method: GET
        description: Modifies an excluded element of a context.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-ajaxspider-action-removeallowedresource
      path: /JSON/ajaxSpider/action/removeAllowedResource/
      operations:
      - name: ajaxspideractionremoveallowedresource
        method: GET
        description: Removes an allowed resource.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-ajaxspider-action-removeexcludedelement
      path: /JSON/ajaxSpider/action/removeExcludedElement/
      operations:
      - name: ajaxspideractionremoveexcludedelement
        method: GET
        description: Removes an excluded element from a context.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-ajaxspider-action-scan
      path: /JSON/ajaxSpider/action/scan/
      operations:
      - name: ajaxspideractionscan
        method: GET
        description: Runs the AJAX Spider against a given target.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-ajaxspider-action-scanasuser
      path: /JSON/ajaxSpider/action/scanAsUser/
      operations:
      - name: ajaxspideractionscanasuser
        method: GET
        description: Runs the AJAX Spider from the perspective of a User of the web application.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-ajaxspider-action-setenabledallowedresource
      path: /JSON/ajaxSpider/action/setEnabledAllowedResource/
      operations:
      - name: ajaxspideractionsetenabledallowedresource
        method: GET
        description: Sets whether or not an allowed resource is enabled.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-ajaxspider-action-setoptionbrowserid
      path: /JSON/ajaxSpider/action/setOptionBrowserId/
      operations:
      - name: ajaxspideractionsetoptionbrowserid
        method: GET
        description: Sets the configuration of the AJAX Spider to use one of the supported browsers.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-ajaxspider-action-setoptionclickdefaultelem
      path: /JSON/ajaxSpider/action/setOptionClickDefaultElems/
      operations:
      - name: ajaxspideractionsetoptionclickdefaultelems
        method: GET
        description: Sets whether or not the AJAX Spider will only click on the default HTML elements.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-ajaxspider-action-setoptionclickelemsonce
      path: /JSON/ajaxSpider/action/setOptionClickElemsOnce/
      operations:
      - name: ajaxspideractionsetoptionclickelemsonce
        method: GET
        description: When enabled, the crawler attempts to interact with each element (e.g., by clicking) only once.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-ajaxspider-action-setoptionenableextensions
      path: /JSON/ajaxSpider/action/setOptionEnableExtensions/
      operations:
      - name: ajaxspideractionsetoptionenableextensions
        method: GET
        description: GET /JSON/ajaxSpider/action/setOptionEnableExtensions/
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-ajaxspider-action-setoptioneventwait
      path: /JSON/ajaxSpider/action/setOptionEventWait/
      operations:
      - name: ajaxspideractionsetoptioneventwait
        method: GET
        description: 'Sets the time to wait after an event (in milliseconds). For example: the wait delay after the cursor
          hovers over an element, in order for a menu to display, etc.'
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-ajaxspider-action-setoptionlogoutavoidance
      path: /JSON/ajaxSpider/action/setOptionLogoutAvoidance/
      operations:
      - name: ajaxspideractionsetoptionlogoutavoidance
        method: GET
        description: Sets whether or not the AJAX Spider should avoid clicking logout elements.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-ajaxspider-action-setoptionmaxcrawldepth
      path: /JSON/ajaxSpider/action/setOptionMaxCrawlDepth/
      operations:
      - name: ajaxspideractionsetoptionmaxcrawldepth
        method: GET
        description: Sets the maximum depth that the crawler can reach.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-ajaxspider-action-setoptionmaxcrawlstates
      path: /JSON/ajaxSpider/action/setOptionMaxCrawlStates/
      operations:
      - name: ajaxspideractionsetoptionmaxcrawlstates
        method: GET
        description: Sets the maximum number of states that the crawler should crawl.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-ajaxspider-action-setoptionmaxduration
      path: /JSON/ajaxSpider/action/setOptionMaxDuration/
      operations:
      - name: ajaxspideractionsetoptionmaxduration
        method: GET
        description: The maximum time that the crawler is allowed to run.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-ajaxspider-action-setoptionnumberofbrowsers
      path: /JSON/ajaxSpider/action/setOptionNumberOfBrowsers/
      operations:
      - name: ajaxspideractionsetoptionnumberofbrowsers
        method: GET
        description: Sets the number of windows to be used by AJAX Spider.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-ajaxspider-action-setoptionrandominputs
      path: /JSON/ajaxSpider/action/setOptionRandomInputs/
      operations:
      - name: ajaxspideractionsetoptionrandominputs
        method: GET
        description: When enabled, inserts random values into form fields.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-ajaxspider-action-setoptionreloadwait
      path: /JSON/ajaxSpider/action/setOptionReloadWait/
      operations:
      - name: ajaxspideractionsetoptionreloadwait
        method: GET
        description: Sets the time to wait after the page is loaded before interacting with it.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-ajaxspider-action-setoptionscopecheck
      path: /JSON/ajaxSpider/action/setOptionScopeCheck/
      operations:
      - name: ajaxspideractionsetoptionscopecheck
        method: GET
        description: Sets the scope check.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-ajaxspider-action-stop
      path: /JSON/ajaxSpider/action/stop/
      operations:
      - name: ajaxspideractionstop
        method: GET
        description: Stops the AJAX Spider.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-ajaxspider-view-allowedresources
      path: /JSON/ajaxSpider/view/allowedResources/
      operations:
      - name: ajaxspiderviewallowedresources
        method: GET
        description: Gets the allowed resources. The allowed resources are always fetched even if out of scope, allowing to
          include necessary resources (e.g. scripts) from 3rd-parties.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-ajaxspider-view-excludedelements
      path: /JSON/ajaxSpider/view/excludedElements/
      operations:
      - name: ajaxspiderviewexcludedelements
        method: GET
        description: Gets the excluded elements. The excluded elements are not clicked during crawling, for example, to prevent
          logging out.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-ajaxspider-view-fullresults
      path: /JSON/ajaxSpider/view/fullResults/
      operations:
      - name: ajaxspiderviewfullresults
        method: GET
        description: Gets the full crawled content detected by the AJAX Spider. Returns a set of values based on 'inScope'
          URLs, 'outOfScope' URLs, and 'errors' encountered during the last/current run of the AJAX Spider.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-ajaxspider-view-numberofresults
      path: /JSON/ajaxSpider/view/numberOfResults/
      operations:
      - name: ajaxspiderviewnumberofresults
        method: GET
        description: Gets the number of resources found.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-ajaxspider-view-optionbrowserid
      path: /JSON/ajaxSpider/view/optionBrowserId/
      operations:
      - name: ajaxspiderviewoptionbrowserid
        method: GET
        description: Gets the configured browser to use for crawling.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-ajaxspider-view-optionclickdefaultelems
      path: /JSON/ajaxSpider/view/optionClickDefaultElems/
      operations:
      - name: ajaxspiderviewoptionclickdefaultelems
        method: GET
        description: Gets the configured value for 'Click Default Elements Only', HTML elements such as 'a', 'button', 'input',
          all associated with some action or links on the page.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-ajaxspider-view-optionclickelemsonce
      path: /JSON/ajaxSpider/view/optionClickElemsOnce/
      operations:
      - name: ajaxspiderviewoptionclickelemsonce
        method: GET
        description: Gets the value configured for the AJAX Spider to know if it should click on the elements only once.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-ajaxspider-view-optionenableextensions
      path: /JSON/ajaxSpider/view/optionEnableExtensions/
      operations:
      - name: ajaxspiderviewoptionenableextensions
        method: GET
        description: GET /JSON/ajaxSpider/view/optionEnableExtensions/
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-ajaxspider-view-optioneventwait
      path: /JSON/ajaxSpider/view/optionEventWait/
      operations:
      - name: ajaxspiderviewoptioneventwait
        method: GET
        description: 'Gets the time to wait after an event (in milliseconds). For example: the wait delay after the cursor
          hovers over an element, in order for a menu to display, etc.'
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-ajaxspider-view-optionlogoutavoidance
      path: /JSON/ajaxSpider/view/optionLogoutAvoidance/
      operations:
      - name: ajaxspiderviewoptionlogoutavoidance
        method: GET
        description: Gets the value of the Logout Avoidance option.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-ajaxspider-view-optionmaxcrawldepth
      path: /JSON/ajaxSpider/view/optionMaxCrawlDepth/
      operations:
      - name: ajaxspiderviewoptionmaxcrawldepth
        method: GET
        description: Gets the configured value for the max crawl depth.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-ajaxspider-view-optionmaxcrawlstates
      path: /JSON/ajaxSpider/view/optionMaxCrawlStates/
      operations:
      - name: ajaxspiderviewoptionmaxcrawlstates
        method: GET
        description: Gets the configured value for the maximum crawl states allowed.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-ajaxspider-view-optionmaxduration
      path: /JSON/ajaxSpider/view/optionMaxDuration/
      operations:
      - name: ajaxspiderviewoptionmaxduration
        method: GET
        description: Gets the configured max duration of the crawl, the value is in minutes.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-ajaxspider-view-optionnumberofbrowsers
      path: /JSON/ajaxSpider/view/optionNumberOfBrowsers/
      operations:
      - name: ajaxspiderviewoptionnumberofbrowsers
        method: GET
        description: Gets the configured number of browsers to be used.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-ajaxspider-view-optionrandominputs
      path: /JSON/ajaxSpider/view/optionRandomInputs/
      operations:
      - name: ajaxspiderviewoptionrandominputs
        method: GET
        description: Gets if the AJAX Spider will use random values in form fields when crawling, if set to true.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-ajaxspider-view-optionreloadwait
      path: /JSON/ajaxSpider/view/optionReloadWait/
      operations:
      - name: ajaxspiderviewoptionreloadwait
        method: GET
        description: Gets the configured time to wait after reloading the page, this value is in milliseconds.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-ajaxspider-view-optionscopecheck
      path: /JSON/ajaxSpider/view/optionScopeCheck/
      operations:
      - name: ajaxspiderviewoptionscopecheck
        method: GET
        description: Gets the configured scope check.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-ajaxspider-view-results
      path: /JSON/ajaxSpider/view/results/
      operations:
      - name: ajaxspiderviewresults
        method: GET
        description: Gets the current results of the crawler.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-ajaxspider-view-status
      path: /JSON/ajaxSpider/view/status/
      operations:
      - name: ajaxspiderviewstatus
        method: GET
        description: Gets the current status of the crawler. Actual values are Stopped and Running.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-alert-action-addalert
      path: /JSON/alert/action/addAlert/
      operations:
      - name: alertactionaddalert
        method: GET
        description: Add an alert associated with the given message ID, with the provided details. (The ID of the created
          alert is returned.)
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-alert-action-deletealert
      path: /JSON/alert/action/deleteAlert/
      operations:
      - name: alertactiondeletealert
        method: GET
        description: Deletes the alert with the given ID.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-alert-action-deletealerts
      path: /JSON/alert/action/deleteAlerts/
      operations:
      - name: alertactiondeletealerts
        method: GET
        description: Deletes all the alerts optionally filtered by URL which fall within the Context with the provided name,
          risk, or base URL.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-alert-action-deleteallalerts
      path: /JSON/alert/action/deleteAllAlerts/
      operations:
      - name: alertactiondeleteallalerts
        method: GET
        description: Deletes all alerts of the current session.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-alert-action-updatealert
      path: /JSON/alert/action/updateAlert/
      operations:
      - name: alertactionupdatealert
        method: GET
        description: Update the alert with the given ID, with the provided details.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-alert-action-updatealertsconfidence
      path: /JSON/alert/action/updateAlertsConfidence/
      operations:
      - name: alertactionupdatealertsconfidence
        method: GET
        description: Update the confidence of the alerts.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-alert-action-updatealertsrisk
      path: /JSON/alert/action/updateAlertsRisk/
      operations:
      - name: alertactionupdatealertsrisk
        method: GET
        description: Update the risk of the alerts.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-alert-view-alert
      path: /JSON/alert/view/alert/
      operations:
      - name: alertviewalert
        method: GET
        description: Gets the alert with the given ID, the corresponding HTTP message can be obtained with the 'messageId'
          field and 'message' API method
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: json-alert-view-alertcountsbyrisk
      path: /JSON/alert/view/alertCountsByRisk/
      operations:
      - name: alertviewalertcountsbyrisk
        method: GET
        description: Gets a count of the alerts, optionally filtered as per alertsPerRisk
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
  exposes:
  - type: rest
    port: 8080
    namespace: owasp-zap-rest
    description: REST adapter for ZAP API.
    resources:
    - path: /JSON/accessControl/action/scan/
      name: accesscontrolactionscan
      operations:
      - method: GET
        name: accesscontrolactionscan
        description: 'Starts an Access Control scan with the given context ID and user ID. (Optional parameters: user ID for
          Unauthenticated user, boolean identifying whether or not Alerts are raised, and the Risk level for the Alerts.)
          [This assumes the Access '
        call: owasp-zap.accesscontrolactionscan
        outputParameters:
        - type: object
          mapping: $.
    - path: /JSON/accessControl/action/writeHTMLreport/
      name: accesscontrolactionwritehtmlreport
      operations:
      - method: GET
        name: accesscontrolactionwritehtmlreport
        description: Generates an Access Control report for the given context ID and saves it based on the provided filename
          (path).
        call: owasp-zap.accesscontrolactionwritehtmlreport
        outputParameters:
        - type: object
          mapping: $.
    - path: /JSON/accessControl/view/getScanProgress/
      name: accesscontrolviewgetscanprogress
      operations:
      - method: GET
        name: accesscontrolviewgetscanprogress
        description: Gets the Access Control scan progress (percentage integer) for the given context ID.
        call: owasp-zap.accesscontrolviewgetscanprogress
        outputParameters:
        - type: object
          mapping: $.
    - path: /JSON/accessControl/view/getScanStatus/
      name: accesscontrolviewgetscanstatus
      operations:
      - method: GET
        name: accesscontrolviewgetscanstatus
        description: Gets the Access Control scan status (description string) for the given context ID.
        call: owasp-zap.accesscontrolviewgetscanstatus
        outputParameters:
        - type: object
          mapping: $.
    - path: /JSON/acsrf/action/addOptionToken/
      name: acsrfactionaddoptiontoken
      operations:
      - method: GET
        name: acsrfactionaddoptiontoken
        description: Adds an anti-CSRF token with the given name, enabled by default
        call: owasp-zap.acsrfactionaddoptiontoken
        outputParameters:
        - type: object
          mapping: $.
    - path: /JSON/acsrf/action/removeOptionToken/
      name: acsrfactionremoveoptiontoken
      operations:
      - method: GET
        name: acsrfactionremoveoptiontoken
        description: Removes the anti-CSRF token with the given name
        call: owasp-zap.acsrfactionremoveoptiontoken
        outputParameters:
        - type: object
          mapping: $.
    - path: /JSON/acsrf/action/setOptionPartialMatchingEnabled/
      name: acsrfactionsetoptionpartialmatchingenabled
      operations:
      - method: GET
        name: acsrfactionsetoptionpartialmatchingenabled
        description: Define if ZAP should detect CSRF tokens by searching for partial matches.
        call: owasp-zap.acsrfactionsetoptionpartialmatchingenabled
        outputParameters:
        - type: object
          mapping: $.
    - path: /OTHER/acsrf/other/genForm/
      name: acsrfothergenform
      operations:
      - method: GET
        name: acsrfothergenform
        description: Generate a form for testing lack of anti-CSRF tokens - typically invoked via ZAP
        call: owasp-zap.acsrfothergenform
        outputParameters:
        - type: object
          mapping: $.
    - path: /JSON/acsrf/view/optionPartialMatchingEnabled/
      name: acsrfviewoptionpartialmatchingenabled
      operations:
      - method: GET
        name: acsrfviewoptionpartialmatchingenabled
        description: Define if ZAP should detect CSRF tokens by searching for partial matches
        call: owasp-zap.acsrfviewoptionpartialmatchingenabled
        outputParameters:
        - type: object
          mapping: $.
    - path: /JSON/acsrf/view/optionTokensNames/
      name: acsrfviewoptiontokensnames
      operations:
      - method: GET
        name: acsrfviewoptiontokensnames
        description: Lists the names of all anti-CSRF tokens
        call: owasp-zap.acsrfviewoptiontokensnames
        outputParameters:
        - type: object
          mapping: $.
    - path: /JSON/ajaxSpider/action/addAllowedResource/
      name: ajaxspideractionaddallowedresource
      operations:
      - method: GET
        name: ajaxspideractionaddallowedresource
        description: Adds an allowed resource.
        call: owasp-zap.ajaxspideractionaddallowedresource
        outputParameters:
        - type: object
          mapping: $.
    - path: /JSON/ajaxSpider/action/addExcludedElement/
      name: ajaxspideractionaddexcludedelement
      operations:
      - method: GET
        name: ajaxspideractionaddexcludedelement
        description: Adds an excluded element to a context.
        call: owasp-zap.ajaxspideractionaddexcludedelement
        outputParameters:
        - type: object
          mapping: $.
    - path: /JSON/ajaxSpider/action/modifyExcludedElement/
      name: ajaxspideractionmodifyexcludedelement
      operations:
      - method: GET
        name: ajaxspideractionmodifyexcludedelement
        description: Modifies an excluded element of a context.
        call: owasp-zap.ajaxspideractionmodifyexcludedelement
        outputParameters:
        - type: object
          mapping: $.
    - path: /JSON/ajaxSpider/action/removeAllowedResource/
      name: ajaxspideractionremoveallowedresource
      operations:
      - method: GET
        name: ajaxspideractionremoveallowedresource
        description: Removes an allowed resource.
        call: owasp-zap.ajaxspideractionremoveallowedresource
        outputParameters:
        - type: object
          mapping: $.
    - path: /JSON/ajaxSpider/action/removeExcludedElement/
      name: ajaxspideractionremoveexcludedelement
      operations:
      - method: GET
        name: ajaxspideractionremoveexcludedelement
        description: Removes an excluded element from a context.
        call: owasp-zap.ajaxspideractionremoveexcludedelement
        outputParameters:
        - type: object
          mapping: $.
    - path: /JSON/ajaxSpider/action/scan/
      name: ajaxspideractionscan
      operations:
      - method: GET
        name: ajaxspideractionscan
        description: Runs the AJAX Spider against a given target.
        call: owasp-zap.ajaxspideractionscan
        outputParameters:
        - type: object
          mapping: $.
    - path: /JSON/ajaxSpider/action/scanAsUser/
      name: ajaxspideractionscanasuser
      operations:
      - method: GET
        name: ajaxspideractionscanasuser
        description: Runs the AJAX Spider from the perspective of a User of the web application.
        call: owasp-zap.ajaxspideractionscanasuser
        outputParameters:
        - type: object
          mapping: $.
    - path: /JSON/ajaxSpider/action/setEnabledAllowedResource/
      name: ajaxspideractionsetenabledallowedresource
      operations:
      - method: GET
        name: ajaxspideractionsetenabledallowedresource
        description: Sets whether or not an allowed resource is enabled.
        call: owasp-zap.ajaxspideractionsetenabledallowedresource
        outputParameters:
        - type: object
          mapping: $.
    - path: /JSON/ajaxSpider/action/setOptionBrowserId/
      name: ajaxspideractionsetoptionbrowserid
      operations:
      - method: GET
        name: ajaxspideractionsetoptionbrowserid
        description: Sets the configuration of the AJAX Spider to use one of the supported browsers.
        call: owasp-zap.ajaxspideractionsetoptionbrowserid
        outputParameters:
        - type: object
          mapping: $.
    - path: /JSON/ajaxSpider/actio

# --- truncated at 32 KB (68 KB total) ---
# Full source: https://raw.githubusercontent.com/api-evangelist/owasp-zap/refs/heads/main/capabilities/owasp-zap-capability.yaml