Spider request wait time
157 views
Skip to first unread message
slicedpan
May 4, 2022, 10:55:46 AM5/4/22
to OWASP ZAP User Group
Hi,
Just wondering whether the requestWaitTime for the spider is supposed to do anything? I have set it through the API and started a spider, and it doesn't seem to have any effect. I had assumed that it would delay the requests that the spider makes to the target.
Cheers,
Slicedpan
thc...@gmail.com
May 4, 2022, 11:05:19 AM5/4/22
to 'slicedpan' via OWASP ZAP User Group
Hi.
That's not used.
Best regards.
That's not used.
Best regards.
JJMullen_
May 4, 2022, 11:20:24 AM5/4/22
to OWASP ZAP User Group
Just looking through this now, it seems ZAP does not support throttling during the spider phase which is actually quiet strange.
JJMullen_
May 5, 2022, 5:06:30 AM5/5/22
to OWASP ZAP User Group
I did a further looking into this as wanting to get involved with the project
- is there a reason why throttling was not implemented during the crawling phase?
I understand we can use a single thread and this would eventually slow down with the RTT increasing however, the RTT increasing would be a result of the applications performance being impacted by the HTTP traffic - with larger applications this potentially could lead to a DoS causing missed content during the crawling phase?
Thanks!
- is there a reason why throttling was not implemented during the crawling phase?
I understand we can use a single thread and this would eventually slow down with the RTT increasing however, the RTT increasing would be a result of the applications performance being impacted by the HTTP traffic - with larger applications this potentially could lead to a DoS causing missed content during the crawling phase?
Thanks!
thc...@gmail.com
May 5, 2022, 5:18:53 AM5/5/22
to zaprox...@googlegroups.com
In that case I'd suggest using:
https://groups.google.com/group/zaproxy-develop
No specific reason, that option was added initially with that intention
but it was not actually implemented.
We don't have reports of that being a general problem, if the spider is
causing issues the active scan will probably cause more (it sends a lot
more requests than the spider, though the active scan does allow to
delay the requests).
Best regards.
https://groups.google.com/group/zaproxy-develop
No specific reason, that option was added initially with that intention
but it was not actually implemented.
We don't have reports of that being a general problem, if the spider is
causing issues the active scan will probably cause more (it sends a lot
more requests than the spider, though the active scan does allow to
delay the requests).
Best regards.
JJMullen_
May 5, 2022, 6:41:19 AM5/5/22
to OWASP ZAP User Group
Thank you for the information thc202
Reply all
Reply to author
Forward
0 new messages