JVM option
111 views
Skip to first unread message
Lia
Sep 29, 2023, 1:38:07 PM9/29/23
to ZAP User Group
Hi there,
I would like to know what would be a good value to put in JVM options?
I have tried -Xmx1024m by referencing to https://www.zaproxy.org/docs/desktop/ui/dialogs/options/jvm/
But I am still getting the below error in zap.log file:
[ZAP-IO-Server-1-15] ERROR MainServerHandler - An error occurred while notifying a handler:
java.lang.OutOfMemoryError: Java heap space
java.lang.OutOfMemoryError: Java heap space
Attached are the info displayed at ZAP GUI:
Thank you.
Simon Bennetts
Oct 2, 2023, 3:07:11 AM10/2/23
to ZAP User Group
If you start ZAP using the "zap.sh" command on Linux then that will try to choose a suitable default memory size: https://github.com/zaproxy/zaproxy/blob/v2.13.0/zap/src/main/dist/zap.sh#L87
If that doesnt work for you then try different values :)
Thats the best advice we have right now.
Anyone else have any better reccomendations?
Cheers,
Simon
Lia
Oct 2, 2023, 10:19:18 PM10/2/23
to ZAP User Group
Hi Simon,
Thank for the reply.
Yup, I tried inputting "-Xmx4096m" , after I run the scan, I saw many exceptions similar like this:
[ZAP-ActiveScanner-3] WARN CommandInjectionScanRule - Blind Command Injection vulnerability check failed for parameter [query] and payload [query'|timeout /T 15] due to an I/O error
org.zaproxy.addon.network.common.ZapSocketTimeoutException: Read timed out
at sun.nio.ch.NioSocketImpl.timedRead(NioSocketImpl.java:278) ~[?:?]
at sun.nio.ch.NioSocketImpl.implRead(NioSocketImpl.java:304) ~[?:?]
at sun.nio.ch.NioSocketImpl.read(NioSocketImpl.java:346) ~[?:?]
at sun.nio.ch.NioSocketImpl$1.read(NioSocketImpl.java:796) ~[?:?]
at java.net.Socket$SocketInputStream.read(Socket.java:1099) ~[?:?]
at sun.security.ssl.SSLSocketInputRecord.read(SSLSocketInputRecord.java:489) ~[?:?]
at sun.security.ssl.SSLSocketInputRecord.readHeader(SSLSocketInputRecord.java:483) ~[?:?]
at sun.security.ssl.SSLSocketInputRecord.bytesInCompletePacket(SSLSocketInputRecord.java:70) ~[?:?]
at sun.security.ssl.SSLSocketImpl.readApplicationRecord(SSLSocketImpl.java:1461) ~[?:?]
at sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:1066) ~[?:?]
at org.apache.hc.core5.http.impl.io.SessionInputBufferImpl.fillBuffer(SessionInputBufferImpl.java:149) ~[?:?]
at org.apache.hc.core5.http.impl.io.SessionInputBufferImpl.readLine(SessionInputBufferImpl.java:280) ~[?:?]
at org.apache.hc.core5.http.impl.io.AbstractMessageParser.parse(AbstractMessageParser.java:247) ~[?:?]
at org.apache.hc.core5.http.impl.io.AbstractMessageParser.parse(AbstractMessageParser.java:54) ~[?:?]
at org.apache.hc.core5.http.impl.io.DefaultBHttpClientConnection.receiveResponseHeader(DefaultBHttpClientConnection.java:299) ~[?:?]
at org.zaproxy.addon.network.internal.client.apachev5.ZapHttpRequestExecutor.execute(ZapHttpRequestExecutor.java:78) ~[?:?]
at org.apache.hc.core5.http.impl.io.HttpRequestExecutor.execute(HttpRequestExecutor.java:218) ~[?:?]
at org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManager$InternalConnectionEndpoint.execute(PoolingHttpClientConnectionManager.java:712) ~[?:?]
at org.apache.hc.client5.http.impl.classic.InternalExecRuntime.execute(InternalExecRuntime.java:216) ~[?:?]
at org.apache.hc.client5.http.impl.classic.MainClientExec.execute(MainClientExec.java:116) ~[?:?]
at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51) ~[?:?]
at org.apache.hc.client5.http.impl.classic.ConnectExec.execute(ConnectExec.java:188) ~[?:?]
at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51) ~[?:?]
at org.apache.hc.client5.http.impl.classic.ZapProtocolExec.execute(ZapProtocolExec.java:178) ~[?:?]
at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51) ~[?:?]
at org.apache.hc.client5.http.impl.classic.ZapHttpRequestRetryExec.execute(ZapHttpRequestRetryExec.java:81) ~[?:?]
at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51) ~[?:?]
at org.apache.hc.client5.http.impl.classic.ZapInternalHttpClient.doExecute(ZapInternalHttpClient.java:173) ~[?:?]
at org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:245) ~[?:?]
at org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:188) ~[?:?]
at org.zaproxy.addon.network.internal.client.apachev5.HttpSenderApache.sendImpl0(HttpSenderApache.java:481) ~[?:?]
at org.zaproxy.addon.network.internal.client.apachev5.HttpSenderApache.sendImpl(HttpSenderApache.java:362) ~[?:?]
at org.zaproxy.addon.network.internal.client.apachev5.HttpSenderApache.sendImpl(HttpSenderApache.java:116) ~[?:?]
at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendRateLimited(BaseHttpSender.java:413) ~[?:?]
at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendAuthenticated(BaseHttpSender.java:382) ~[?:?]
at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendNoRedirections(BaseHttpSender.java:350) ~[?:?]
at org.zaproxy.addon.network.internal.client.BaseHttpSender.send(BaseHttpSender.java:306) ~[?:?]
at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendAndReceive(BaseHttpSender.java:277) ~[?:?]
at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendAndReceive(BaseHttpSender.java:233) ~[?:?]
at org.parosproxy.paros.network.HttpSender.sendImpl(HttpSender.java:524) ~[zap-2.13.0.jar:2.13.0]
at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:356) ~[zap-2.13.0.jar:2.13.0]
at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(AbstractPlugin.java:315) ~[zap-2.13.0.jar:2.13.0]
at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(AbstractPlugin.java:252) ~[zap-2.13.0.jar:2.13.0]
at org.zaproxy.zap.extension.ascanrules.CommandInjectionScanRule.lambda$testCommandInjection$0(CommandInjectionScanRule.java:616) ~[?:?]
at org.zaproxy.zap.extension.ascanrules.timing.TimingUtils.checkTimingDependence(TimingUtils.java:87) ~[?:?]
at org.zaproxy.zap.extension.ascanrules.CommandInjectionScanRule.testCommandInjection(CommandInjectionScanRule.java:625) ~[?:?]
at org.zaproxy.zap.extension.ascanrules.CommandInjectionScanRule.scan(CommandInjectionScanRule.java:456) ~[?:?]
at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scan(AbstractAppParamPlugin.java:207) ~[zap-2.13.0.jar:2.13.0]
at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scan(AbstractAppParamPlugin.java:132) ~[zap-2.13.0.jar:2.13.0]
at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scan(AbstractAppParamPlugin.java:92) ~[zap-2.13.0.jar:2.13.0]
at org.parosproxy.paros.core.scanner.AbstractPlugin.run(AbstractPlugin.java:368) ~[zap-2.13.0.jar:2.13.0]
at java.lang.Thread.run(Thread.java:1583) [?:?]
org.zaproxy.addon.network.common.ZapSocketTimeoutException: Read timed out
at sun.nio.ch.NioSocketImpl.timedRead(NioSocketImpl.java:278) ~[?:?]
at sun.nio.ch.NioSocketImpl.implRead(NioSocketImpl.java:304) ~[?:?]
at sun.nio.ch.NioSocketImpl.read(NioSocketImpl.java:346) ~[?:?]
at sun.nio.ch.NioSocketImpl$1.read(NioSocketImpl.java:796) ~[?:?]
at java.net.Socket$SocketInputStream.read(Socket.java:1099) ~[?:?]
at sun.security.ssl.SSLSocketInputRecord.read(SSLSocketInputRecord.java:489) ~[?:?]
at sun.security.ssl.SSLSocketInputRecord.readHeader(SSLSocketInputRecord.java:483) ~[?:?]
at sun.security.ssl.SSLSocketInputRecord.bytesInCompletePacket(SSLSocketInputRecord.java:70) ~[?:?]
at sun.security.ssl.SSLSocketImpl.readApplicationRecord(SSLSocketImpl.java:1461) ~[?:?]
at sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:1066) ~[?:?]
at org.apache.hc.core5.http.impl.io.SessionInputBufferImpl.fillBuffer(SessionInputBufferImpl.java:149) ~[?:?]
at org.apache.hc.core5.http.impl.io.SessionInputBufferImpl.readLine(SessionInputBufferImpl.java:280) ~[?:?]
at org.apache.hc.core5.http.impl.io.AbstractMessageParser.parse(AbstractMessageParser.java:247) ~[?:?]
at org.apache.hc.core5.http.impl.io.AbstractMessageParser.parse(AbstractMessageParser.java:54) ~[?:?]
at org.apache.hc.core5.http.impl.io.DefaultBHttpClientConnection.receiveResponseHeader(DefaultBHttpClientConnection.java:299) ~[?:?]
at org.zaproxy.addon.network.internal.client.apachev5.ZapHttpRequestExecutor.execute(ZapHttpRequestExecutor.java:78) ~[?:?]
at org.apache.hc.core5.http.impl.io.HttpRequestExecutor.execute(HttpRequestExecutor.java:218) ~[?:?]
at org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManager$InternalConnectionEndpoint.execute(PoolingHttpClientConnectionManager.java:712) ~[?:?]
at org.apache.hc.client5.http.impl.classic.InternalExecRuntime.execute(InternalExecRuntime.java:216) ~[?:?]
at org.apache.hc.client5.http.impl.classic.MainClientExec.execute(MainClientExec.java:116) ~[?:?]
at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51) ~[?:?]
at org.apache.hc.client5.http.impl.classic.ConnectExec.execute(ConnectExec.java:188) ~[?:?]
at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51) ~[?:?]
at org.apache.hc.client5.http.impl.classic.ZapProtocolExec.execute(ZapProtocolExec.java:178) ~[?:?]
at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51) ~[?:?]
at org.apache.hc.client5.http.impl.classic.ZapHttpRequestRetryExec.execute(ZapHttpRequestRetryExec.java:81) ~[?:?]
at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51) ~[?:?]
at org.apache.hc.client5.http.impl.classic.ZapInternalHttpClient.doExecute(ZapInternalHttpClient.java:173) ~[?:?]
at org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:245) ~[?:?]
at org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:188) ~[?:?]
at org.zaproxy.addon.network.internal.client.apachev5.HttpSenderApache.sendImpl0(HttpSenderApache.java:481) ~[?:?]
at org.zaproxy.addon.network.internal.client.apachev5.HttpSenderApache.sendImpl(HttpSenderApache.java:362) ~[?:?]
at org.zaproxy.addon.network.internal.client.apachev5.HttpSenderApache.sendImpl(HttpSenderApache.java:116) ~[?:?]
at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendRateLimited(BaseHttpSender.java:413) ~[?:?]
at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendAuthenticated(BaseHttpSender.java:382) ~[?:?]
at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendNoRedirections(BaseHttpSender.java:350) ~[?:?]
at org.zaproxy.addon.network.internal.client.BaseHttpSender.send(BaseHttpSender.java:306) ~[?:?]
at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendAndReceive(BaseHttpSender.java:277) ~[?:?]
at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendAndReceive(BaseHttpSender.java:233) ~[?:?]
at org.parosproxy.paros.network.HttpSender.sendImpl(HttpSender.java:524) ~[zap-2.13.0.jar:2.13.0]
at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:356) ~[zap-2.13.0.jar:2.13.0]
at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(AbstractPlugin.java:315) ~[zap-2.13.0.jar:2.13.0]
at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(AbstractPlugin.java:252) ~[zap-2.13.0.jar:2.13.0]
at org.zaproxy.zap.extension.ascanrules.CommandInjectionScanRule.lambda$testCommandInjection$0(CommandInjectionScanRule.java:616) ~[?:?]
at org.zaproxy.zap.extension.ascanrules.timing.TimingUtils.checkTimingDependence(TimingUtils.java:87) ~[?:?]
at org.zaproxy.zap.extension.ascanrules.CommandInjectionScanRule.testCommandInjection(CommandInjectionScanRule.java:625) ~[?:?]
at org.zaproxy.zap.extension.ascanrules.CommandInjectionScanRule.scan(CommandInjectionScanRule.java:456) ~[?:?]
at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scan(AbstractAppParamPlugin.java:207) ~[zap-2.13.0.jar:2.13.0]
at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scan(AbstractAppParamPlugin.java:132) ~[zap-2.13.0.jar:2.13.0]
at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scan(AbstractAppParamPlugin.java:92) ~[zap-2.13.0.jar:2.13.0]
at org.parosproxy.paros.core.scanner.AbstractPlugin.run(AbstractPlugin.java:368) ~[zap-2.13.0.jar:2.13.0]
at java.lang.Thread.run(Thread.java:1583) [?:?]
I notice many of these exceptions were due to an I/O error and having
Read timed out.
Hence, I would like to ask, is the JVM value I set is related to these errors?
Some other configuration that I did is also to the database where I set the database file cache size to 80 000 and timeout to 180 secs.
Many thanks.
Simon Bennetts
Oct 3, 2023, 3:33:25 AM10/3/23
to ZAP User Group
I think that the "Read timed out" warnings will have nothing to do with your JVM settings.
Note that those are warnings rther than errors - ZAP does lots of nasty things so warnings are not unusual.
Applications, WAFs and frameworks can all potentially detect "bad things" and choose to drop or ignore the requests.
If you are a pentester looking for interesting edgecases then you might want to investigate further.
Otherwise I'd ignore these sort of warnings.
Cheers,
Simon
Message has been deleted
Lia
Oct 3, 2023, 6:06:06 AM10/3/23
to ZAP User Group
Hey again,
I saw another warning message and want to check it with you:
[ZAP-IO-EventExecutor-4-6] WARN MainServerHandler - Failed to write/forward the HTTP response to the client: java.io.IOException: An established connection was aborted by the software in your host machine
It is saying that connection is aborted. Does this affect anything or is it just another "usual" warning message?
Thanks.
Simon Bennetts
Oct 3, 2023, 6:33:42 AM10/3/23
to ZAP User Group
I think thats just another "usual" warning :)
Reply all
Reply to author
Forward
0 new messages