How long does it take?
724 views
Skip to first unread message
shinto cv
Nov 17, 2015, 1:27:02 AM11/17/15
to OWASP ZAP User Group
Hi..
I am using ZAP to test my web application using the default configuration. The initial 94 % took only around 8 hours and even after 19 hours it is still testing at 99 %. Also the following message
"70165694 [ZAP-ActiveScanner-0] WARN org.zaproxy.zap.extension.sqliplugin.SQLInjectionPlugin - There is considerable lagging in connection response(s) which gives a standard deviation of 686.5501204694706ms on the sample set which is more than 500.0ms"
is repeatedly appearing on the zap log with occasional "parameter 'xxxxx' not injectable" message.
What is happening?
Thanks for your help in advance.
I am using ZAP to test my web application using the default configuration. The initial 94 % took only around 8 hours and even after 19 hours it is still testing at 99 %. Also the following message
"70165694 [ZAP-ActiveScanner-0] WARN org.zaproxy.zap.extension.sqliplugin.SQLInjectionPlugin - There is considerable lagging in connection response(s) which gives a standard deviation of 686.5501204694706ms on the sample set which is more than 500.0ms"
is repeatedly appearing on the zap log with occasional "parameter 'xxxxx' not injectable" message.
What is happening?
Thanks for your help in advance.
Simon Bennetts
Nov 17, 2015, 4:23:33 AM11/17/15
to OWASP ZAP User Group
Try accessing your application while the scan is running, particularly when you're getting those messages.
It could well be that you're app is struggling under the load that ZAP is placing on it.
Or it could be a WAF or similar rate limiting access to it.
Also have a look at this blog post for speeding up ZAP scans: https://blog.mozilla.org/security/2013/07/10/how-to-speed-up-owasp-zap-scans/
Cheers,
Simon
It could well be that you're app is struggling under the load that ZAP is placing on it.
Or it could be a WAF or similar rate limiting access to it.
Also have a look at this blog post for speeding up ZAP scans: https://blog.mozilla.org/security/2013/07/10/how-to-speed-up-owasp-zap-scans/
Cheers,
Simon
shinto cv
Nov 17, 2015, 5:01:39 AM11/17/15
to OWASP ZAP User Group
Hi.. I read the blog.. it says if one plugin takes significantly more time it is a problem.. the advanced sql injection plugin is taking very long to complete(more than 17 hours).. It has been running for 24 hours .. it is still on 99 %.. I am attaching a screenshot of the scan progress.. please take a look..
Regards,
Shinto.
Regards,
Shinto.
shinto cv
Nov 17, 2015, 6:56:16 AM11/17/15
to OWASP ZAP User Group
HI..
I checked the version of the Advanced Sql Injection plugin since it was mentioned in your blog. Like you said I am using the beta version. Does that mean the results obtained are erroneous?
Thanks,
Shinto.
I checked the version of the Advanced Sql Injection plugin since it was mentioned in your blog. Like you said I am using the beta version. Does that mean the results obtained are erroneous?
Thanks,
Shinto.
Simon Bennetts
Nov 17, 2015, 7:38:58 AM11/17/15
to OWASP ZAP User Group
All results obtained by automated scanning can be erroneous ;)
Rules only get to release status when we're confident they are as robust as possible, so you can hopefully be more confident about those, and similarly beta plugins may well be more robust then alpha ones.
Note that all new add-ons / plugins must start at alpha and then go to beta before they can become release quality, so they could actually be very robust just not have had enough exposure for us to promote them.
However all plugins should run within a reasonable length of time, and clearly the Advanced SQL Injection plugin isnt doing that in your case.
Could you raise an issue for this?
I'd recommend turning it off for your application - it should definitely not take that long.
Cheers,
Simon
Rules only get to release status when we're confident they are as robust as possible, so you can hopefully be more confident about those, and similarly beta plugins may well be more robust then alpha ones.
Note that all new add-ons / plugins must start at alpha and then go to beta before they can become release quality, so they could actually be very robust just not have had enough exposure for us to promote them.
However all plugins should run within a reasonable length of time, and clearly the Advanced SQL Injection plugin isnt doing that in your case.
Could you raise an issue for this?
I'd recommend turning it off for your application - it should definitely not take that long.
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages