The purpose of the spider scan is to discover all resources and URLs for the target website. The spider visits these URLs and will try to identify all the hyperlinks in the responses. The scanning process continues recursively whenever new URLs are identified. All identified URLs can be used for further security inspection and active scans in the next step.

Sending the REST API request to ZAP will require the API key. To simplify the implementation, we will disable the API key in our demonstration. The API key can be disabled under the ZAP console menu, via Tools | Options | API | Disable the API Key checkbox. 

Here is the command to execute the spider scan by CURL:

$ curl   "http://localhost:8090/JSON/spider/action/scan/?zapapiformat=JSON&formMethod=GET&url=http://hackazon.webscantest.com&maxChildren=&recurse=&contextName=&subtreeOnly="

To get further information for the HTTP GET request for the spider scan, we can use the browser to visit the ZAP URL: http://localhost:8090/UI/. This provides an explanatory API document and operations. For example, we can trigger the spider scan by clicking on spider and scan (url maxChildren recurse contextName subtreeOnly). This will navigate us to http://localhost:8090/UI/spider/view/scans/ (as shown in the following diagram), where we can define some parameters and trigger the scan. After the spider scan is triggered, the URL we get is the final URL (the HTTP GET request) we need for the CURL automation.

The following diagram shows the spider scan UI operations in ZAP:

For Windows users, CURL can be downloaded here: https://curl.haxx.se/windows/.