Active scan using crazy amount of disk space
21 views
Skip to first unread message
Guno
Jan 14, 2026, 11:40:47 AM (5 days ago) Jan 14
to ZAP User Group
Hi there,
As a follow-up of https://github.com/zaproxy/zaproxy/issues/9212, I'm now sending to this User Group.
Since ZAP 2.17.0, some of my active scans have been failing with 'Out of database space, ZAP will effectively be unusable'. As I understood from the issue referenced above, this is most likely not a ZAP regression, but it just surfaced now because of the reworked error reporting.
So now I'm wondering why ZAP uses that much disk space for my scans, that it runs 'out of database space'.
I've regularly seen the session directory grow to dozens of GBs, but I've kind of gotten used to it over the years. However, the error I'm getting now probably is related, so that's why I want to know if I can reduce disk/database usage in my scans. Hoping for some pointers.
I've regularly seen the session directory grow to dozens of GBs, but I've kind of gotten used to it over the years. However, the error I'm getting now probably is related, so that's why I want to know if I can reduce disk/database usage in my scans. Hoping for some pointers.
My scans basically look like this (run from a combination of npm and shell scripts):
- Start ZAP (zaproxy -daemon -nostdout -silent )
- Use Cypress to navigate through some fixed scenario in the application, using ZAP's proxy. This typically results in 75-150 entries in ZAP's History panel.
- Apply some ZAP configuration through the API:
- set connection timeout (/core/action/setOptionTimeoutInSecs/?Integer=300).
- set maximum rule duration (/ascan/action/setOptionMaxRuleDurationInMins/?Integer=45).
- add two custom csrf tokens via /acsrf/action/addOptionToken/
- exclude all technologies from context and selectively enable some (/context/action/excludeAllContextTechnologies and /context/action/includeContextTechnologies).
- include url regex for application in context (/context/action/includeInContext).
- disable some scanners that we're not interested in (/ascan/action/disableScanners).
- Run active scan against what the proxy collected (/ascan/action/scan/).
- Generate report (/reports/action/generate/).
- Stop ZAP (/core/action/shutdown/).
- Housekeeping:
- rm -Rf ~/.ZAP/session/*
- rm -Rf ~/.ZAP/.homelock
These steps are repeated a number of times, for different scenarios.
I've seen the problem start in the third iteration (and later iterations), but afterwards when scanning that scenario in isolation, the problem was also there. Not sure if this matters that much, as I delete the session data in-between iterations, but now you know.
If I need to provide more info, let me know. Unfortunately I cannot share any details about the application that I'm scanning.
Thanks!
Guno
Simon Bennetts
Jan 14, 2026, 12:17:21 PM (4 days ago) Jan 14
to ZAP User Group
Hiya Guno,
Thats surprising.
Just to confirm:
- You are starting and stopping ZAP each time
- You are not specifying a session when you start ZAP
Is the ZAP session size roughly equivalent each time (for the same target)?
Cheers,
Simon
Guno
Jan 16, 2026, 3:57:43 AM (3 days ago) Jan 16
to ZAP User Group
Hello,
Yes, I can confirm both.
Yes, I can confirm both.
Just did another run, where I monitored the size of the ~/.ZAP/session directory during the scan.
This shows that the session directory does get quite big at some point, but at the point where the scan fails, it is not big at all. So it might not be related to disk space after all?
Logging for this run (most logging is from my scripts, not from ZAP itself).
Thu 15 Jan 11:59:44 Started active scan number 0.
Thu 15 Jan 07:38:38 Active scan currently at: 0%
6.2M /home/user/.ZAP/session
Thu 15 Jan 07:48:39 Active scan currently at: 2%
1.1G /home/user/.ZAP/session
Thu 15 Jan 07:58:39 Active scan currently at: 2%
1.9G /home/user/.ZAP/session
Thu 15 Jan 08:08:39 Active scan currently at: 4%
2.8G /home/user/.ZAP/session
Thu 15 Jan 08:18:39 Active scan currently at: 4%
3.4G /home/user/.ZAP/session
Thu 15 Jan 08:28:39 Active scan currently at: 9%
3.9G /home/user/.ZAP/session
Thu 15 Jan 08:38:39 Active scan currently at: 9%
3.9G /home/user/.ZAP/session
Thu 15 Jan 08:48:39 Active scan currently at: 19%
4.1G /home/user/.ZAP/session
Thu 15 Jan 08:58:40 Active scan currently at: 19%
4.9G /home/user/.ZAP/session
Thu 15 Jan 09:08:40 Active scan currently at: 21%
5.6G /home/user/.ZAP/session
Thu 15 Jan 09:18:40 Active scan currently at: 21%
5.6G /home/user/.ZAP/session
Thu 15 Jan 09:28:40 Active scan currently at: 23%
6.1G /home/user/.ZAP/session
Thu 15 Jan 09:38:40 Active scan currently at: 23%
6.4G /home/user/.ZAP/session
Thu 15 Jan 09:48:40 Active scan currently at: 23%
6.4G /home/user/.ZAP/session
Thu 15 Jan 09:58:40 Active scan currently at: 26%
6.5G /home/user/.ZAP/session
Thu 15 Jan 10:08:41 Active scan currently at: 31%
6.7G /home/user/.ZAP/session
Thu 15 Jan 10:18:41 Active scan currently at: 33%
7.4G /home/user/.ZAP/session
Thu 15 Jan 10:28:41 Active scan currently at: 33%
8.0G /home/user/.ZAP/session
Thu 15 Jan 10:38:41 Active scan currently at: 35%
8.8G /home/user/.ZAP/session
Thu 15 Jan 10:48:41 Active scan currently at: 36%
9.8G /home/user/.ZAP/session
Thu 15 Jan 10:58:41 Active scan currently at: 38%
9.8G /home/user/.ZAP/session
Thu 15 Jan 11:08:42 Active scan currently at: 45%
11G /home/user/.ZAP/session
Thu 15 Jan 11:18:42 Active scan currently at: 47%
12G /home/user/.ZAP/session
Thu 15 Jan 11:28:42 Active scan currently at: 47%
12G /home/user/.ZAP/session
Thu 15 Jan 11:38:42 Active scan currently at: 54%
13G /home/user/.ZAP/session
Thu 15 Jan 11:48:42 Active scan currently at: 59%
15G /home/user/.ZAP/session
Thu 15 Jan 11:58:42 Active scan currently at: 100%
Thu 15 Jan 11:58:42 Scan finished.
Thu 15 Jan 11:58:42 Generating report.
Thu 15 Jan 11:58:43 stopping zaproxy.
Thu 15 Jan 11:58:53 zaproxy stopped.
Thu 15 Jan 11:58:53 Clean session directory
Thu 15 Jan 11:58:53 Remove home lock
Thu 15 Jan 11:58:53 Congrats, all done without errors.
Thu 15 Jan 11:59:44 Started active scan number 0.
Thu 15 Jan 11:59:44 Active scan currently at: 0%
11M /home/user/.ZAP/session
Thu 15 Jan 12:09:44 Active scan currently at: 2%
60M /home/user/.ZAP/session
Thu 15 Jan 12:19:44 Active scan currently at: 4%
19M /home/user/.ZAP/session
Thu 15 Jan 12:29:44 Active scan currently at: 21%
8.1M /home/user/.ZAP/session
Thu 15 Jan 12:39:45 Active scan currently at: 33%
18M /home/user/.ZAP/session
Thu 15 Jan 12:49:45 Active scan currently at: 33%
15M /home/user/.ZAP/session
Thu 15 Jan 12:59:45 Active scan currently at: 35%
66M /home/user/.ZAP/session
Thu 15 Jan 13:09:45 Active scan currently at: 35%
892K /home/user/.ZAP/session
Thu 15 Jan 13:19:45 Active scan currently at: 38%
61M /home/user/.ZAP/session
Thu 15 Jan 13:29:45 Active scan currently at: 45%
86M /home/user/.ZAP/session
Thu 15 Jan 13:39:46 Active scan currently at: 45%
100M /home/user/.ZAP/session
Thu 15 Jan 13:49:46 Active scan currently at: 47%
71M /home/user/.ZAP/session
Thu 15 Jan 13:59:46 Active scan currently at: 52%
47M /home/user/.ZAP/session
Thu 15 Jan 14:09:46 Active scan currently at: 55%
2.7M /home/user/.ZAP/session
Thu 15 Jan 14:19:46 Active scan currently at: 59%
82M /home/user/.ZAP/session
Thu 15 Jan 14:29:46 Active scan currently at: 59%
84M /home/user/.ZAP/session
Thu 15 Jan 14:39:47 Active scan currently at: 69%
99M /home/user/.ZAP/session
Thu 15 Jan 14:43:47 Active scan currently at: 100%
Thu 15 Jan 14:43:47 Scan finished.
Thu 15 Jan 14:43:47 Generating report.
Thu 15 Jan 14:43:47 stopping zaproxy.
Thu 15 Jan 14:43:57 zaproxy stopped.
Thu 15 Jan 14:43:57 Clean session directory
Thu 15 Jan 14:43:57 Remove home lock
Thu 15 Jan 14:43:57 Congrats, all done without errors.
Thu 15 Jan 14:44:59 Started active scan number 0.
Thu 15 Jan 14:44:59 Active scan currently at: 0%
16M /home/user/.ZAP/session
Thu 15 Jan 14:54:59 Active scan currently at: 2%
35M /home/user/.ZAP/session
Thu 15 Jan 15:04:59 Active scan currently at: 2%
44M /home/user/.ZAP/session
Thu 15 Jan 15:14:59 Active scan currently at: 4%
19M /home/user/.ZAP/session
Thu 15 Jan 15:25:00 Active scan currently at: 19%
87M /home/user/.ZAP/session
Thu 15 Jan 15:35:00 Active scan currently at: 19%
54M /home/user/.ZAP/session
Thu 15 Jan 15:45:00 Active scan currently at: 23%
38M /home/user/.ZAP/session
Thu 15 Jan 15:55:00 Active scan currently at: 31%
92M /home/user/.ZAP/session
Thu 15 Jan 16:05:00 Active scan currently at: 33%
4.3M /home/user/.ZAP/session
Thu 15 Jan 16:15:00 Active scan currently at: 33%
30M /home/user/.ZAP/session
Out of database space, ZAP will effectively be unusable.
Out of database space, ZAP will effectively be unusable.
Out of database space, ZAP will effectively be unusable.
Shutting down ZAP due to space issues...
Shutting down ZAP due to space issues...
Shutting down ZAP due to space issues...
Thu 15 Jan 07:38:38 Active scan currently at: 0%
6.2M /home/user/.ZAP/session
Thu 15 Jan 07:48:39 Active scan currently at: 2%
1.1G /home/user/.ZAP/session
Thu 15 Jan 07:58:39 Active scan currently at: 2%
1.9G /home/user/.ZAP/session
Thu 15 Jan 08:08:39 Active scan currently at: 4%
2.8G /home/user/.ZAP/session
Thu 15 Jan 08:18:39 Active scan currently at: 4%
3.4G /home/user/.ZAP/session
Thu 15 Jan 08:28:39 Active scan currently at: 9%
3.9G /home/user/.ZAP/session
Thu 15 Jan 08:38:39 Active scan currently at: 9%
3.9G /home/user/.ZAP/session
Thu 15 Jan 08:48:39 Active scan currently at: 19%
4.1G /home/user/.ZAP/session
Thu 15 Jan 08:58:40 Active scan currently at: 19%
4.9G /home/user/.ZAP/session
Thu 15 Jan 09:08:40 Active scan currently at: 21%
5.6G /home/user/.ZAP/session
Thu 15 Jan 09:18:40 Active scan currently at: 21%
5.6G /home/user/.ZAP/session
Thu 15 Jan 09:28:40 Active scan currently at: 23%
6.1G /home/user/.ZAP/session
Thu 15 Jan 09:38:40 Active scan currently at: 23%
6.4G /home/user/.ZAP/session
Thu 15 Jan 09:48:40 Active scan currently at: 23%
6.4G /home/user/.ZAP/session
Thu 15 Jan 09:58:40 Active scan currently at: 26%
6.5G /home/user/.ZAP/session
Thu 15 Jan 10:08:41 Active scan currently at: 31%
6.7G /home/user/.ZAP/session
Thu 15 Jan 10:18:41 Active scan currently at: 33%
7.4G /home/user/.ZAP/session
Thu 15 Jan 10:28:41 Active scan currently at: 33%
8.0G /home/user/.ZAP/session
Thu 15 Jan 10:38:41 Active scan currently at: 35%
8.8G /home/user/.ZAP/session
Thu 15 Jan 10:48:41 Active scan currently at: 36%
9.8G /home/user/.ZAP/session
Thu 15 Jan 10:58:41 Active scan currently at: 38%
9.8G /home/user/.ZAP/session
Thu 15 Jan 11:08:42 Active scan currently at: 45%
11G /home/user/.ZAP/session
Thu 15 Jan 11:18:42 Active scan currently at: 47%
12G /home/user/.ZAP/session
Thu 15 Jan 11:28:42 Active scan currently at: 47%
12G /home/user/.ZAP/session
Thu 15 Jan 11:38:42 Active scan currently at: 54%
13G /home/user/.ZAP/session
Thu 15 Jan 11:48:42 Active scan currently at: 59%
15G /home/user/.ZAP/session
Thu 15 Jan 11:58:42 Active scan currently at: 100%
Thu 15 Jan 11:58:42 Scan finished.
Thu 15 Jan 11:58:42 Generating report.
Thu 15 Jan 11:58:43 stopping zaproxy.
Thu 15 Jan 11:58:53 zaproxy stopped.
Thu 15 Jan 11:58:53 Clean session directory
Thu 15 Jan 11:58:53 Remove home lock
Thu 15 Jan 11:58:53 Congrats, all done without errors.
Thu 15 Jan 11:59:44 Started active scan number 0.
Thu 15 Jan 11:59:44 Active scan currently at: 0%
11M /home/user/.ZAP/session
Thu 15 Jan 12:09:44 Active scan currently at: 2%
60M /home/user/.ZAP/session
Thu 15 Jan 12:19:44 Active scan currently at: 4%
19M /home/user/.ZAP/session
Thu 15 Jan 12:29:44 Active scan currently at: 21%
8.1M /home/user/.ZAP/session
Thu 15 Jan 12:39:45 Active scan currently at: 33%
18M /home/user/.ZAP/session
Thu 15 Jan 12:49:45 Active scan currently at: 33%
15M /home/user/.ZAP/session
Thu 15 Jan 12:59:45 Active scan currently at: 35%
66M /home/user/.ZAP/session
Thu 15 Jan 13:09:45 Active scan currently at: 35%
892K /home/user/.ZAP/session
Thu 15 Jan 13:19:45 Active scan currently at: 38%
61M /home/user/.ZAP/session
Thu 15 Jan 13:29:45 Active scan currently at: 45%
86M /home/user/.ZAP/session
Thu 15 Jan 13:39:46 Active scan currently at: 45%
100M /home/user/.ZAP/session
Thu 15 Jan 13:49:46 Active scan currently at: 47%
71M /home/user/.ZAP/session
Thu 15 Jan 13:59:46 Active scan currently at: 52%
47M /home/user/.ZAP/session
Thu 15 Jan 14:09:46 Active scan currently at: 55%
2.7M /home/user/.ZAP/session
Thu 15 Jan 14:19:46 Active scan currently at: 59%
82M /home/user/.ZAP/session
Thu 15 Jan 14:29:46 Active scan currently at: 59%
84M /home/user/.ZAP/session
Thu 15 Jan 14:39:47 Active scan currently at: 69%
99M /home/user/.ZAP/session
Thu 15 Jan 14:43:47 Active scan currently at: 100%
Thu 15 Jan 14:43:47 Scan finished.
Thu 15 Jan 14:43:47 Generating report.
Thu 15 Jan 14:43:47 stopping zaproxy.
Thu 15 Jan 14:43:57 zaproxy stopped.
Thu 15 Jan 14:43:57 Clean session directory
Thu 15 Jan 14:43:57 Remove home lock
Thu 15 Jan 14:43:57 Congrats, all done without errors.
Thu 15 Jan 14:44:59 Started active scan number 0.
Thu 15 Jan 14:44:59 Active scan currently at: 0%
16M /home/user/.ZAP/session
Thu 15 Jan 14:54:59 Active scan currently at: 2%
35M /home/user/.ZAP/session
Thu 15 Jan 15:04:59 Active scan currently at: 2%
44M /home/user/.ZAP/session
Thu 15 Jan 15:14:59 Active scan currently at: 4%
19M /home/user/.ZAP/session
Thu 15 Jan 15:25:00 Active scan currently at: 19%
87M /home/user/.ZAP/session
Thu 15 Jan 15:35:00 Active scan currently at: 19%
54M /home/user/.ZAP/session
Thu 15 Jan 15:45:00 Active scan currently at: 23%
38M /home/user/.ZAP/session
Thu 15 Jan 15:55:00 Active scan currently at: 31%
92M /home/user/.ZAP/session
Thu 15 Jan 16:05:00 Active scan currently at: 33%
4.3M /home/user/.ZAP/session
Thu 15 Jan 16:15:00 Active scan currently at: 33%
30M /home/user/.ZAP/session
Out of database space, ZAP will effectively be unusable.
Out of database space, ZAP will effectively be unusable.
Out of database space, ZAP will effectively be unusable.
Shutting down ZAP due to space issues...
Shutting down ZAP due to space issues...
Shutting down ZAP due to space issues...
I will start another run now, and report here when those results are in, so that they can be compared.
regards,
Guno
Simon Bennetts
Jan 16, 2026, 4:37:26 AM (3 days ago) Jan 16
to ZAP User Group
Hi Guno,
Try running ZAP with the command line option:
- -config scanner.persistTemporaryMessages=false
Tht should reduce the diskspace usage.
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages