How to increase Java memory size while using spider and active scan

[Utku Yıldırım]

Hi guys,

I could not find any options inside ZAP settings to increase JVM. I have already tried editing ZAP.bat as i am running on windows. I also set -Xms in addition to -Xmx but still no luck. Can you please let me know how to do it?

Regards,

Utku

[Utku Yıldırım]

And also ZAP freezes when i tried to spider or active scan with authenticated session with forced user.

Any ideas?

17 Ocak 2017 Salı 16:37:30 UTC+3 tarihinde Utku Yıldırım yazdı:

[kingthorin+owaspzap]

What version of Java? What did you set exactly?

[Utku Yıldırım]

I have Java 6,7,8 installed but not sure which one ZAP uses, i set zap.bat file for increasing max java memory.

@if exist "%HOMEPATH%\OWASP ZAP\.ZAP_JVM.properties" (

@ set /p jvmopts=< "%HOMEPATH%\OWASP ZAP\.ZAP_JVM.properties"

@) else (

set jvmopts=-Xmx4096

@)

java %jvmopts% -jar zap-2.5.0.jar %*

Regards,

Utku

18 Ocak 2017 Çarşamba 16:08:45 UTC+3 tarihinde kingthorin+owaspzap yazdı:

[Simon Bennetts]

It looks like you are using ZAP 2.5.0 in which case you can set the memory via the JVM Options screen: https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsOptionsJvm

Cheers,

Simon

[Utku Yıldırım]

Hi Simon, yes i do but i can not find that .ZAP_JVM.properties file under C:\Users\\OWASP ZAP

Any ideas?

Thanks.

18 Ocak 2017 Çarşamba 16:51:11 UTC+3 tarihinde Simon Bennetts yazdı:

[Simon Bennetts]

Thats strange :/
Are there any errors logged in the zap.log file?
Can you find that file anywhere else on your HD?

Cheers,

Simon

[thc...@gmail.com]

The wiki was not rendering the path properly, it should be:
C:\Users\<username>\OWASP ZAP

(being <username> the name of the user that runs ZAP)

Also, note that the file exists only if the JVM option is set.

Best regards.

On 26/01/17 11:33, Simon Bennetts wrote:
> Thats strange :/
> Are there any errors logged in the zap.log

> <https://github.com/zaproxy/zaproxy/wiki/FAQhelp#check-the-log-file> file?

[Ignacio Rubio Guerrero]

Just in case can help to anybody.

I'm using ZAP docker with zap.sh: 

docker run -u zap  -v /tmp/:/zap/wrk/:rw --rm -ti --name owasp_zap -p 8090:8090 zap:latest zap.sh -daemon -port 8090 -host x.x.x.x -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true -config api.key=mykey -addoninstallall

I have checked that the assigned xmx by default is a quarter of the available memory (see these 3 examples)

Example1:

Available memory: 1968 MB

Using JVM args: -Xmx492m

Example2:

Available memory: 3942 MB

Using JVM args: -Xmx985m

Example3:

Available memory: 7470 MB

Using JVM args: -Xmx1867m

But you can always set jvm manually (as exaplained in zap docs):

docker run -u zap  -v /tmp/:/zap/wrk/:rw --rm -ti --name owasp_zap -p 8090:8090 zap:latest zap.sh -daemon -port 8090 -host x.x.x.x -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true -config api.key=mykey -addoninstallall -Xmx2048m

Question

Not sure what could be the best value to get it running as faster as possible but without waste resources? (I can assign to the container whatever memory is needed)

[kingthorin+owaspzap]

You should start by not installing all addons, many of them are only helpful when using ZAP GUI.

[Ignacio Rubio Guerrero]

I included all those because my SOC department told me that could be valuable during the analysis.

What implications have executing with all addons? I can assume it will take longer to run the analysis and get the report (more time in general).

So, this is a suggestion for Simon Bennetts: What about to include an option for zap.sh to install only those addons that can be used in daemon mode?

[Simon Bennetts]

TBH I wouldnt expect that to make much difference.

I'd hope GUI specific add-ons would just not use much memory in daemon mode, but we'd need to double check that to make sure.