APIs can be challenging for security testing for a variety of reasons. The first problem you will encounter is how to effectively explore an API - most APIs cannot be explored using browsing or standard spidering techniques. However many APIs are described using technologies such as: SOAP OpenAPI / Swagger These standards define the API endpoints and can be imported into ZAP using 2 optional add-ons.
