Ability to set passive/active scan requests rate limit per site
1,784 views
Skip to first unread message
Alex M
Jul 13, 2016, 12:56:53 PM7/13/16
to OWASP ZAP User Group
Hi there,
does anyone know if it's possible to set passive/active scan requests rate limit per site in ZAP (via API or UI)?
kingthorin+owaspzap
Jul 13, 2016, 2:20:32 PM7/13/16
to OWASP ZAP User Group
You can limit threads and hosts scanned concurrently (active scan): https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsOptionsAscan
For passive, it's passive.....i.e. analysis of traffic that passes through ZAP.
For passive, it's passive.....i.e. analysis of traffic that passes through ZAP.
Alex M
Jul 13, 2016, 3:36:21 PM7/13/16
to OWASP ZAP User Group
Yep, I saw concurrency and delay setting for the active scan, but it's not exactly what I'm looking for. For example, when scanning APIs, sometimes you have a quota for requests sent per minute.
If a quota is, let's say, 60 requests per minute and ZAP exceeds this limit, the rest of requests will be simply blocked by an API. Since this quota may vary among different APIs it would make sense to have this setting per host.
kingthorin+owaspzap
Jul 13, 2016, 5:18:31 PM7/13/16
to OWASP ZAP User Group
The only current way to tackle that would be setting single threaded and doing the math on the delay.
Alex M
Jul 13, 2016, 5:34:00 PM7/13/16
to OWASP ZAP User Group
Should I submit a feature request? (:
kingthorin+owaspzap
Jul 13, 2016, 5:50:52 PM7/13/16
to OWASP ZAP User Group
Can't hurt :)
Simon Bennetts
Jul 14, 2016, 3:23:23 AM7/14/16
to OWASP ZAP User Group
In theory this could be done via a HTTP Sender script.
Keep a count of the number of requests sent in one minute using a global variable. If the count for that minute (held in another global variable) exceeds the specified threshold then sleep until the minute changes.
Anyone fancy having a go at that?
Keep a count of the number of requests sent in one minute using a global variable. If the count for that minute (held in another global variable) exceeds the specified threshold then sleep until the minute changes.
Anyone fancy having a go at that?
Alex M
Jul 14, 2016, 5:57:30 AM7/14/16
to OWASP ZAP User Group
This might work, but not really useful.. Submitted a ticket here https://github.com/zaproxy/zaproxy/issues/2679
Simon Bennetts
Jul 14, 2016, 6:04:40 AM7/14/16
to OWASP ZAP User Group
Thanks for submitting the ticket.
Out of interest why do you think the script would not be useful?
The implementation could probably be very similar whether we implement this in the core, as an add-on or a script.
Out of interest why do you think the script would not be useful?
The implementation could probably be very similar whether we implement this in the core, as an add-on or a script.
Alex M
Jul 14, 2016, 6:56:57 AM7/14/16
to OWASP ZAP User Group
Is it possible to set a different rate limit per site this way? Updating the script manually each time before scanning another site is not suitable, especially for automation.
Simon Bennetts
Jul 14, 2016, 8:00:21 AM7/14/16
to OWASP ZAP User Group
Ah ok, I was wondering if you were questioning the very brief algorithm I suggested ;)
If you have a fixed set of sites you could test which one is being accessed and apply the relevant limit in the script?
Definitely not ideal, I'm just trying to think of a quick-and-dirty solution that you could use now if you wanted to.
I agree that a per site limit that can be set via the UI and API would be a better solution, I'm just not sure when anyone will implement that...
If you have a fixed set of sites you could test which one is being accessed and apply the relevant limit in the script?
Definitely not ideal, I'm just trying to think of a quick-and-dirty solution that you could use now if you wanted to.
I agree that a per site limit that can be set via the UI and API would be a better solution, I'm just not sure when anyone will implement that...
Alex M
Jul 14, 2016, 8:15:24 AM7/14/16
to OWASP ZAP User Group
Understood. I'll try to play with a script, but I'm not an expert in this area yet. Hopefully, someone will eventually implement this feature in the app.
Reply all
Reply to author
Forward
0 new messages