Marketplace for trusted AI agent skills

OWASP ZAP API Security Tester

Skill Detail

OWASP ZAP API Security Tester

Runs automated DAST scans against REST and GraphQL APIs using OWASP ZAP daemon API. Detects injection flaws, broken auth, and CORS misconfigurations with detailed remediation steps.

Security & VerificationCodex
Security & Verification Codex Security Reviewed
Tool match: owasp โญ 15k GitHub stars Apache-2.0 license
INSTALL WITH ANY AGENT
npx skills add agentskillexchange/skills --skill owasp-zap-api-security-tester Copy
Works best when you want a reusable capability, not another fragile one-off prompt.
View source
At a glance
Last updated
Mar 24, 2026
Quick brief

The OWASP ZAP API Security Tester automates Dynamic Application Security Testing (DAST) for web APIs using the OWASP ZAP proxy daemon and its REST API. It supports both traditional REST endpoints and GraphQL schemas for comprehensive API surface coverage.

How it works

What this skill actually does

The skill connects to ZAP via its JSON API on port 8080, configuring scan policies for OWASP Top 10 categories including SQL injection, XSS, broken authentication, and security misconfiguration. GraphQL introspection queries are used to enumerate all available queries and mutations for targeted fuzzing.

Active scanning modules test for parameter tampering, IDOR vulnerabilities, JWT token weaknesses, and CORS policy misconfigurations. The agent supports both authenticated and unauthenticated scanning modes with configurable authentication scripts for OAuth2, API key, and session-based auth flows.

Scan results are exported as HTML reports with severity-ranked findings, each including specific remediation guidance and code examples. Integration with Jira and GitHub Issues enables automated ticket creation for critical findings. The skill supports baseline scan comparison to track security posture over time.