ZAP GUI freezes on Active Scan

[Hugo Baes Jr.]

Hi, 

I'm trying to run ZAP on a big project at my work. The project has around 3500+ pages/requests (according to ZAP Spider), many of them are forms with dozen of fields each.

When I run the Active Scan, it takes a lot of time (more then 4 days, session file 80gb+), but I was never able to finish the scan because the application freezes.

I tried to run a bunch of times, and I saw  it freezing after a day or two of active scanning.

When I click on the progress details button, it seems ZAP enter in a infinite loop with the stacktrace below flooding the log files.

That happens both on Windows 10 and Linux Ubuntu 16.04 LTS, with ZAP versions 2.4.3 and 2.5.0.

2016-06-06 10:52:32,966 [AWT-EventQueue-0] ERROR ScanProgressDialog - You are attempting to add an observation for the time period Mon Jun 06 10:35:52 BRT 2016 but the series already contains an observation for that time period. Duplicates are not permitted.  Try using the addOrUpdate() method.

org.jfree.data.general.SeriesException: You are attempting to add an observation for the time period Mon Jun 06 10:35:52 BRT 2016 but the series already contains an observation for that time period. Duplicates are not permitted.  Try using the addOrUpdate() method.

at org.jfree.data.time.TimeSeries.add(TimeSeries.java:519)

at org.jfree.data.time.TimeSeries.add(TimeSeries.java:562)

at org.jfree.data.time.TimeSeries.add(TimeSeries.java:548)

at org.zaproxy.zap.extension.ascan.ScanProgressDialog.showProgress(Unknown Source)

at org.zaproxy.zap.extension.ascan.ScanProgressDialog.access$500(Unknown Source)

at org.zaproxy.zap.extension.ascan.ScanProgressDialog$5.actionPerformed(Unknown Source)

at javax.swing.JComboBox.fireActionEvent(Unknown Source)

at javax.swing.JComboBox.contentsChanged(Unknown Source)

at javax.swing.AbstractListModel.fireContentsChanged(Unknown Source)

at javax.swing.DefaultComboBoxModel.setSelectedItem(Unknown Source)

at javax.swing.DefaultComboBoxModel.addElement(Unknown Source)

at javax.swing.JComboBox.addItem(Unknown Source)

at org.zaproxy.zap.extension.ascan.ScanProgressDialog.setActiveScan(Unknown Source)

at org.zaproxy.zap.extension.ascan.ActiveScanPanel.showScanProgressDialog(Unknown Source)

at org.zaproxy.zap.extension.ascan.ActiveScanPanel.access$100(Unknown Source)

at org.zaproxy.zap.extension.ascan.ActiveScanPanel$3.actionPerformed(Unknown Source)

at javax.swing.AbstractButton.fireActionPerformed(Unknown Source)

at javax.swing.AbstractButton$Handler.actionPerformed(Unknown Source)

at javax.swing.DefaultButtonModel.fireActionPerformed(Unknown Source)

at javax.swing.DefaultButtonModel.setPressed(Unknown Source)

at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(Unknown Source)

at java.awt.AWTEventMulticaster.mouseReleased(Unknown Source)

at java.awt.Component.processMouseEvent(Unknown Source)

at javax.swing.JComponent.processMouseEvent(Unknown Source)

at java.awt.Component.processEvent(Unknown Source)

at java.awt.Container.processEvent(Unknown Source)

at java.awt.Component.dispatchEventImpl(Unknown Source)

at java.awt.Container.dispatchEventImpl(Unknown Source)

at java.awt.Component.dispatchEvent(Unknown Source)

at java.awt.LightweightDispatcher.retargetMouseEvent(Unknown Source)

at java.awt.LightweightDispatcher.processMouseEvent(Unknown Source)

at java.awt.LightweightDispatcher.dispatchEvent(Unknown Source)

at java.awt.Container.dispatchEventImpl(Unknown Source)

at java.awt.Window.dispatchEventImpl(Unknown Source)

at java.awt.Component.dispatchEvent(Unknown Source)

at java.awt.EventQueue.dispatchEventImpl(Unknown Source)

at java.awt.EventQueue.access$500(Unknown Source)

at java.awt.EventQueue$3.run(Unknown Source)

at java.awt.EventQueue$3.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source)

at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source)

at java.awt.EventQueue$4.run(Unknown Source)

at java.awt.EventQueue$4.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source)

at java.awt.EventQueue.dispatchEvent(Unknown Source)

at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)

at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)

at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)

at java.awt.EventDispatchThread.pumpEvents(Unknown Source)

at java.awt.EventDispatchThread.pumpEvents(Unknown Source)

at java.awt.EventDispatchThread.run(Unknown Source)

I'm not really sure if the scan stops when I click on the progress details button (it seems it stops way before that), but the interface freezes the moment I click the button (it changes to "pressed state" and the GUI freezes).

Thanks in advance.

[kingthorin+owaspzap]

First you should probably follow:
https://blog.mozilla.org/security/2013/07/10/how-to-speed-up-owasp-zap-scans/

You can also save time by setting technology information for the scan [https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsAdvascan#technology].
Also you might want to review your configuration/app for Data Driven Content or Structural Modifiers [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsStructmods] to ensure you aren't needlessly testing the same functionality over and over again.

[Hugo Baes Jr.]

Thanks for the quick response.

I did read and configured a fast scan previously. It took about 4 hours to run with Medium Strength and Threshold. (some low and medium alerts were found).

However, now I need to run with High Strength and Low Threshold to capture all possible threats. 

The amount of time it would take is not a problem, but I'm having trouble to run a full scan with that configuration.

I don't know if the huge session file could be a problem.

[Stephen Hookings]

If ZAP takes a few days then it is likely the commercial scanners will take a lit longer (unless you are caught in a loop). What we do is to spider a subset of the app, usIng our threat model to know where to concentrate effort, and restrict the scan to sub paths from there. Repeat as necessary. Here you could spin up multiple versons in a cloud and run them in parallel.

Also, using any codescan info you have to determine what input is expected can be helpfUl. IE won't you have to fuzz for SQLI with ZAP? So how are you automating the choice of parameters here.

Divide and conquer would be the approach I take for aggressive scan.

My 2 cents
Steve Hookings

[thc...@gmail.com]

Hi.

Would you mind raising an issue? [1]


[1] https://github.com/zaproxy/zaproxy/issues/new

Thanks!
Best regards.

> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP Developer Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-devel...@googlegroups.com
> <mailto:zaproxy-devel...@googlegroups.com>.
> To view this discussion on the web, visit
> https://groups.google.com/d/msgid/zaproxy-develop/be86f1f3-830f-4091-a5b9-d46591a9ace3%40googlegroups.com
> <https://groups.google.com/d/msgid/zaproxy-develop/be86f1f3-830f-4091-a5b9-d46591a9ace3%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.

[Hugo Baes Jr.]

Well, I will try the Divide and Conquer approach first, as pointed by Stephen.

Maybe it's not an application issue, but a resource limitation (memory/processor).

[Stephen Hookings]

Btw I posted whilst on train to Infosec. Seemed to mutilated post. Apologies.

For larger, incrementally changing apps, some of our dev teams use Selenium to train the tools (ZAP, BURP, WebInspect) against new. Concentrate on incremental test. Then run extended tests less frequently. Another form of divide and conquer. Since we are also getting big on cloud the parallelism approach is being trialled for some apps.

Regards
Steve Hookings

[thc...@gmail.com]

Hi.

An issue has been raised to address the GUI freeze:
https://github.com/zaproxy/zaproxy/issues/2550

Thanks.
Best regards.

> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP Developer Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-devel...@googlegroups.com
> <mailto:zaproxy-devel...@googlegroups.com>.
> To view this discussion on the web, visit

> https://groups.google.com/d/msgid/zaproxy-develop/642320c3-5384-4204-acfc-a84dc9350f9d%40googlegroups.com
> <https://groups.google.com/d/msgid/zaproxy-develop/642320c3-5384-4204-acfc-a84dc9350f9d%40googlegroups.com?utm_medium=email&utm_source=footer>.