ZAP Performance

[eoin.h...@fieldaware.com]

Just wondering if there's something I'm missing about the performance of ZAP. As you can see from the screenshot I'm only able to get around 100 requests per minute. Other tools I've found to not really meet my needs but boast request rates in the region of hundreds per second. I notice from monitoring my processes that ZAP will send off a batch of requests over a few a seconds. Then it will sit for up to 30 seconds, sometimes more, without doing anything while my app is idle. All this time ZAP is using upwards of 85-90% CPU. This is using the default scan policies and settings.

Any insight would be appreciated.

[Simon Bennetts]

Thats surprising, and definitely not normal :/
Are there any errors in the zap.log file? https://github.com/zaproxy/zaproxy/wiki/FAQconfig
The 30 second delay suggests to me that the ZAP requests might be timing out.
Can you access the application while the ZAP scan is running?
What happens if you resend one of the requests via ZAP.
I've seen cases where firewalls have rules to block known security tools like ZAP - such rules are usually easy to get around ;)

Cheers,

Simon

[eoin.h...@fieldaware.com]

Hi Simon,

There are occasional timeout errors in the log but those are hidden amongst thousands of "User - Authenticating user:" logs. I can access the application while ZAP is running however it isn't as responsive as usual due to the load of the ZAP traffic. No firewalls to speak of either, this is a local ZAP scanning a local instance of the app.

Eoin

[eoin.h...@fieldaware.com]

Hi Simon,

Again just wondering if there's anything that can be done to determine the root cause of these issues. ZAP performing well is very important to us to be able to conduct security tests within the timeout limits of our CI system. I've seen spaces of about 3 minutes where not a single request is sent by ZAP. Is there any debug info I might be able to provide to help investigate this issue?

Eoin

[Simon Bennetts]

Hi Eoin,

We have a general 'trouble shooting' FAQ: https://github.com/zaproxy/zaproxy/wiki/FAQhelp and one for setting logging (which can be done on a per class basis): https://github.com/zaproxy/zaproxy/wiki/FAQlogging
The other thing you can do is to open the scan progress dialog and see which tests are hanging - if its the same ones each time then they could be the problem. You could then try running just those tests (via the advance active scan options) and see if the problems are consistent - that always makes problems easier to resolve :)
Anyone else got any suggestions?

Cheers,

Simon

[eoin.h...@fieldaware.com]

Hi, looking at the logs when using just 1 scanning thread shows 20 seconds between successful authentications and the timeouts that are happening. However this kind of waiting behaviour is also seen when using multiple scanning threads. Do all of the scanning threads block if there's a thread still waiting to timeout? Perhaps that's the behaviour I'm seeing here.