Zap Active Scanning Time
1,702 views
Skip to first unread message
john mas
Jun 19, 2018, 9:38:52 AM6/19/18
to OWASP ZAP User Group
Hi,
We are trying to use Zap for perform active scanning on products and we have set it up to run in Daemon mode, then per our needs set it to attack mode and any request it gets is included in the context since only the unit testing is running on it with Proxy.
The dilemma here is to know when is Zap finished, now i understand that setting it to attack mode means constant attacking and not initiating a scan so no progress or end time can exist however is there no way to measure it somehow?
Also if there is no option and considering the OOB settings we used, does it makes sense to run 4000000 requests or run for more than an hour for a mere 200 requests it got from the unit testing?
I've noticed in the log there are plenty of connection issues sometimes, does Zap have a retry option? maybe that cause things to run slower..
Any suggestions to track or improve our time are welcomed.
Thanks!
Simon Bennetts
Jun 19, 2018, 9:57:29 AM6/19/18
to OWASP ZAP User Group
Hi John,
The attack mode 'never finishes' is only true in that ZAP never knows if you are going to proxy another request through it.
If you know that you've finished proxying then you can just check the core 'attackModeQueue' via the API - once thats at zero the attacking has finished.
ZAP will inevitably submit many more requests than you did, as it has to perform a wide range of attacks.
However there are various ways you can speed up a ZAP scan - see this blog post: https://blog.mozilla.org/security/2013/07/10/how-to-speed-up-owasp-zap-scans/
Re the retrys - you can change the ZAP connection timeout via the options (and therefore via the command line). Yes, ZAP can significantly slow down web apps :/
Cheers,
Simon
john mas
Jun 19, 2018, 12:23:54 PM6/19/18
to zaprox...@googlegroups.com
Thanks Simon
Regarding the attackModeQueue, first of all it's really fast and second there is no way of knowing when it's really done it could be 0 and then attack mode picks up another URL and rescans or something and it's back to some number then 0 again and the same repeats itself... :(
I read the post but i don't see much options to try.
Will try the timeout option and maybe lowering the threshold from default but i don't have a strong feeling it will be much help.
--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/60749dba-ad5e-4ce8-8dcf-32bd8f3fda85%40googlegroups.com.
john mas
Jul 11, 2018, 12:51:25 PM7/11/18
to zaprox...@googlegroups.com
Ok, bringing this back up, i've gone through the blog post and other options and even tried to set threshold and level to low but the avg time on my scan is 2 hours.
What else can i do?
I've been going through the logs and there lots of warnning on different test failures such as:
WARN CommandInjectionPlugin - Blind Command Injection vulnerability check failed for parameter [context] and payload [&timeout /T {0}] due to an I/O error
WARN VariantJSONQuery - Failed to parse the request body: Input is invalid JSON; does not start with '{' or '[', c=-1
java.lang.IllegalArgumentException: Input is invalid JSON; does not start with '{' or '[', c=-1
Could this or the mentioned timeout be a reason for a long scan?
Any other suggestions to better debug this?
Looks like the two warnings above are 99% of all the warnings
They are based off UnknownHostException for a host that works just fine but sometimes it doesn't for some reason, could it be a WAS configuration for the amount of requests?
kingthorin+owaspzap
Jul 11, 2018, 1:31:58 PM7/11/18
to OWASP ZAP User Group
They are based off UnknownHostException for a host that works just fine but sometimes it doesn't for some reason, could it be a WAS configuration for the amount of requests?
It "could" be, but we have no idea how your WAF(?) is configured. It's "seems" more likely to be a networking or DNS issue. If you interact with the target while ZAP is scanning is it responsive? Speedy? Slow? (Try every 15m or so throughout the 2h)
The WARNs you listed are just that, warnings. They might explain some of the delay but shouldn't really be significant. Depending on the # of warnings you're seeing you could disable those specific scan rules and see if it improves something, or perhaps there's a specific URL that you should be excluding? Looking at the two items you quoted it seems some investigation might be necessary to discover what it is about the Command Injection your app doesn't like, and why for some requests JSON responses are malformed.
Have you analysed if there's any redundant testing going on? ex: Would your app/context benefit from configuration of Structural parameters or Data Drive Content?
john mas
Jul 12, 2018, 4:54:35 PM7/12/18
to zaprox...@googlegroups.com
Thanks for the useful pointers.
It's an internal Dev Env so no WAF, DNS could still be an issue so i'm checking that lead and also playing with the scan rules.
The application itself is just API's at this point so we are only passing API's through ZAP and nothing else.
Interesting point with the application structure i wasn't aware of this but since i'm only using ZAP API to scan Api's can i define my context as data driven via the API or is it no supported?
--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/0d7b968c-d447-4fb6-b171-f0f1434ded2c%40googlegroups.com.
john mas
Jul 17, 2018, 11:06:24 AM7/17/18
to zaprox...@googlegroups.com
?
john mas
Jul 18, 2018, 11:18:52 AM7/18/18
to zaprox...@googlegroups.com
I don't see it in the API list
Is there no support for data driven on the API level?
Simon Bennetts
Jul 26, 2018, 3:36:17 AM7/26/18
to OWASP ZAP User Group
You can import a context defined in a file - thats your best option right now.
john mas
Jul 27, 2018, 1:40:08 AM7/27/18
to zaprox...@googlegroups.com
Ok, but how do i create that context file? is there some kind of template for that?
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/226d62e3-5a54-482b-bd2d-be5e16e0b3d9%40googlegroups.com.
Simon Bennetts
Jul 27, 2018, 3:33:37 AM7/27/18
to OWASP ZAP User Group
The best thing to do is create, configure and test your context using the ZAP desktop UI,
You can then export it using the 'Export Context...' button on the Sites tab and import that via the API.
john mas
Jul 30, 2018, 5:30:29 AM7/30/18
to zaprox...@googlegroups.com
Got it
Thanks.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/a34b2575-6907-4dae-bb1b-2c4e11c6bc74%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages