Getting Started

Creating a Collection

Before you can start an API Scan in ZeroThreat, you first need to create a Collection.

A Collection represents the source of your API endpoints and acts as the starting point for both unauthenticated and authenticated API scans. You can use it to scan public (unauthenticated) APIs right away, or later configure authentication for APIs that require it.

Here’s how you can create a collection in ZeroThreat.

Step 1: Create an API Target

First, you need to create a Target that defines the base URL of your API and sets the scan type.

  1. Go to the Targets section in ZeroThreat and click “Add Target.”
  2. Enter the Base URL of your API (e.g., https://api.example.com).
Thumbnail

  1. Under Scan Type, select API Scan and choose your preferred Scanning Server.
  2. Click “Save” to add the target.

Step 2: Add an API Collection to Your Target

Once your target is set up:

  1. From the ZeroThreat dashboard, select the API target you just created.
  2. Click on Create New Collection () button. This opens the Configure API Collection drawer, where you’ll choose your API Collection source method.
Thumbnail

Step 3: Select Your API Source Type

ZeroThreat offers four options for importing your API collection:

Source TypeDescription
Swagger File / URLUpload a Swagger file or provide a public Swagger URL.
OpenAPI FileUpload an OpenAPI (OAS) YAML or JSON file.
Postman APIImport directly from a Postman collection.
HAR FileUpload a HAR (HTTP Archive) file from captured API traffic.

In this example, let’s choose the Swagger Source method:

  • ZeroThreat will automatically give a name to your Collection Source according to previous collection names.
  • Upload your Swagger file or enter the Swagger URL path (E.g. /api/v1/swagger.json) and click Fetch Collection. (Note: Enter the path alone, not the full URL).
Thumbnail

  • ZeroThreat will automatically parse all the API endpoints from the file or the URL.

ZeroThreat will only display endpoints that fall within your defined Target URL scope. This ensures scans are limited to assets you own and control.

Step 4: Review and Configure API Endpoints

Once the API specification is parsed, click the View Collection () button to see and review all the extracted API endpoints.

ZeroThreat highlight any endpoints that have missing or empty request bodies, these are commonly found in incomplete API specs. These endpoints will be marked with a Payload Unmapped ( ) symbol to help you identify them.

While filling body for such API's is not mandatory to start a scan, it’s highly recommended. Providing sample data in request bodies helps ZeroThreat interact more accurately with your APIs, leading to more effective testing.

(Optional Step) Map Missing Payloads Click any endpoint marked with the Payload Unmapped () icon and provide sample request body data where needed.

Thumbnail

You can also hover over the Collection Analysis () button to get an overview of how many endpoints were parsed, and how many of them are missing request bodies.

Thumbnail

Once you're done reviewing and configuring the endpoints, click Save.

Your collection is now ready to use. You can proceed to run an Unauthenticated API Scan or, if your APIs require authentication, configure API Authentication settings for this collection.

What’s Next?

Ready to scan? Continue to Unauthenticated API Scan. Your APIs need authentication to access? Learn how to set up Authenticated API Scans.