java.lang.OutOfMemoryError: Java heap space

1,004 views
Skip to first unread message

Jyothsna L

unread,
Dec 17, 2019, 6:00:51 PM12/17/19
to OWASP ZAP User Group


hi,
I am running docker weekly version: zap-D-2019-12-16

while ajax spidering, it keeps getting heap out of memory errors.
Is there a way to get report of the scanning done until now by restoring the data?

The scan is using 499M. How can I increase the memory.

cat zap.out

Found Java version 1.8.0_222

Available memory: 1998 MB

Using JVM args: -Xmx499m


Enter code here453862 [ZAP-PassiveScanner] WARN org.zaproxy.zap.extension.pscan.PassiveScanThread  - Passive Scan rule html_mailto took 11 seconds to scan https://xyz/polymer/shared_bundle_1.html?v=0.5.16 text/html;charset=utf-8 985688

515471 [ZAP-PassiveScanner] WARN org.zaproxy.zap.extension.pscan.PassiveScanThread  - Passive Scan rule html_mailto took 57 seconds to scan https://xyz /static/js/main.a1d6d75c.js?v=_ application/javascript; charset=utf-8 3557518

1242036 [ZAP-ProxyThread-789] ERROR org.zaproxy.zap.ZAP$UncaughtExceptionLogger  - Exception in thread "ZAP-ProxyThread-789"

java.lang.OutOfMemoryError: Java heap space

1253266 [ZAP-PassiveScanner] WARN org.zaproxy.zap.extension.pscan.PassiveScanThread  - Passive Scan rule Information Disclosure - Suspicious Comments took 8 seconds to scan https://xyz/resources/js/jquery-ui-1.11.js?v=20.1.0.57 application/javascript; charset=utf-8 470794

1255036 [ZAP-ProxyThread-803] ERROR org.zaproxy.zap.ZAP$UncaughtExceptionLogger  - Exception in thread "ZAP-ProxyThread-803"

java.lang.OutOfMemoryError: Java heap space

1257624 [ZAP-PassiveScanner] ERROR org.zaproxy.zap.ZAP$UncaughtExceptionLogger  - Exception in thread "ZAP-PassiveScanner"

java.lang.OutOfMemoryError: Java heap space

1265426 [ZAP-ProxyThread-808] ERROR org.zaproxy.zap.ZAP$UncaughtExceptionLogger  - Exception in thread "ZAP-ProxyThread-808"

java.lang.OutOfMemoryError: Java heap space

1276774 [ZAP-ProxyThread-823] ERROR org.zaproxy.zap.ZAP$UncaughtExceptionLogger  - Exception in thread "ZAP-ProxyThread-823"

java.lang.OutOfMemoryError: Java heap space

1283440 [ZAP-ProxyThread-830] ERROR org.zaproxy.zap.ZAP$UncaughtExceptionLogger  - Exception in thread "ZAP-ProxyThread-830"

java.lang.OutOfMemoryError: Java heap space

1302778 [ZAP-ProxyThread-833] ERROR org.zaproxy.zap.ZAP$UncaughtExceptionLogger  - Exception in thread "ZAP-ProxyThread-833"

java.lang.OutOfMemoryError: Java heap space

1305252 [ZAP-ProxyThread-849] ERROR org.zaproxy.zap.ZAP$UncaughtExceptionLogger  - Exception in thread "ZAP-ProxyThread-849"

java.lang.OutOfMemoryError: Java heap space

1314113 [ZAP-ProxyThread-856] ERROR org.zaproxy.zap.ZAP$UncaughtExceptionLogger  - Exception in thread "ZAP-ProxyThread-856"

java.lang.OutOfMemoryError: Java heap space

1334714 [ZAP-ProxyThread-864] ERROR org.zaproxy.zap.ZAP$UncaughtExceptionLogger  - Exception in thread "ZAP-ProxyThread-864"

java.lang.OutOfMemoryError: Java heap space

1338925 [ZAP-ProxyThread-860] ERROR org.zaproxy.zap.ZAP$UncaughtExceptionLogger  - Exception in thread "ZAP-ProxyThread-860"

java.lang.OutOfMemoryError: Java heap space

1357911 [ZAP-ProxyThread-875] ERROR org.zaproxy.zap.ZAP$UncaughtExceptionLogger  - Exception in thread "ZAP-ProxyThread-875"

java.lang.OutOfMemoryError: Java heap space

1367176 [ZAP-ProxyThread-887] ERROR org.zaproxy.zap.ZAP$UncaughtExceptionLogger  - Exception in thread "ZAP-ProxyThread-887"

java.lang.OutOfMemoryError: Java heap space...


Peter Hauschulz

unread,
Dec 18, 2019, 4:15:33 AM12/18/19
to OWASP ZAP User Group
Hi!

I am not actually sure what the best solution for docker is here....I know you can set a higher number for the JVM args as it is started in command line, but not sure if that applies to the docker versions


Is the application very large, or contain very large files? Or which passive rules you have enabled?

Simon Bennetts

unread,
Dec 18, 2019, 4:18:15 AM12/18/19
to OWASP ZAP User Group

Jyothsna L

unread,
Dec 18, 2019, 12:55:54 PM12/18/19
to OWASP ZAP User Group
yes, the application is large.
I am using the default passive rules. 

I increased mem to 1024 using zap option -Xmx1024m and scan has been running so far.

How do I know what html_mailto scan rule does.

the below passive scan rule took almost 3hrs to scan.

 Passive Scan rule html_mailto took 10210 seconds to scan https://xyz/instance/xyz application/json;charset=utf-8 2025982

kingthorin+owaspzap

unread,
Dec 18, 2019, 4:56:34 PM12/18/19
to OWASP ZAP User Group
That’s a passive scan tag, that’s looking for mailto hrefs to tag, if you aren’t using the GUI you should probably disable it.

Jyothsna L

unread,
Dec 19, 2019, 1:25:25 AM12/19/19
to OWASP ZAP User Group
How to disable passive scan tags. there isn't any API for it looks like.

Peter Hauschulz

unread,
Dec 19, 2019, 2:25:26 AM12/19/19
to OWASP ZAP User Group
when you have ZAP running, point a browser to it and go to the following to see the endpoints you will probably need.

the first will list all enabled passive scan rules and their ID, and the second will give you the option to disable a passive scan rule by ID


kingthorin+owaspzap

unread,
Dec 19, 2019, 4:47:48 AM12/19/19
to OWASP ZAP User Group
That's possible, I'll look in to it further today.

kingthorin+owaspzap

unread,
Dec 19, 2019, 11:59:39 AM12/19/19
to OWASP ZAP User Group
I've added API endpoints to enable/disable all pscan tags: https://github.com/zaproxy/zaproxy/pull/5774

It'll be in the next weekly and the next release.

Jyothsna L

unread,
Dec 19, 2019, 1:05:10 PM12/19/19
to OWASP ZAP User Group
Thank you!

kingthorin+owaspzap

unread,
Dec 20, 2019, 6:56:23 PM12/20/19
to OWASP ZAP User Group
If anyone has a public test case for html_mailto (or any of the Tags) taking more than 5 sec, I have some other ideas for performance fixes so please let me know.

I can't seem to find one after 5 or 10 mins of browsing.

Jyothsna L

unread,
Dec 26, 2019, 6:45:50 PM12/26/19
to OWASP ZAP User Group
can we also add the python hooks?


On Thursday, December 19, 2019 at 8:59:39 AM UTC-8, kingthorin+owaspzap wrote:

thc...@gmail.com

unread,
Dec 30, 2019, 11:54:56 AM12/30/19
to zaprox...@googlegroups.com
(Adding here as well.)

The API clients will be updated once the new ZAP version is released.

In the meantime you can call the new APIs with the Python client the
following way:
zap._request_api(zap.base + 'pscan/action/disableAllTags')
zap._request_api(zap.base + 'pscan/action/enableAllTags')

Best regards.

Jyothsna L

unread,
Jan 9, 2020, 1:24:38 AM1/9/20
to OWASP ZAP User Group
Thank you this helps.
As I run zap2docker, the container is killed after the scan process is abruptly killed ,say due to out of memory issues without generating the report.

Is there a way to set session location so that if the scan faces out of memory, I can at least have the session DB to get the alerts it found until then.

zap.core.session_location gets session location, but there is no option to set session location.

Thanks,
--Jyothsna
Reply all
Reply to author
Forward
0 new messages