ZAP GUI Crashing

[Mewzer]

Hello,

The OWASP ZAP GUI crashes in the middle of an active scan for one of the websites I am testing. It seems to be when doing the DOM XSS rules.

How can I work out what might be causing this? Is there a ZAP error/crash log I can look at?

Thank you!

[kingthorin+owaspzap]

Disable the dom xss add-on and see what happens.

You can also check zap.log in ZAP's home directory: https://www.zaproxy.org/faq/how-do-you-configure-zap-logging/

[Mewzer]

Yes, if the DOM XSS add-on is disabled then the GUI does not crash.

I'll check the logs - thanks :-)

[Mewzer]

I upped the logging level to DEBUG and managed to reproduce the crash. Couldn't see anything that interesting in the logs (sanitised below):

2021-09-08 23:42:05,552 [ZAP-PassiveScanner] DEBUG PassiveScanData - No Context found for: https://<an image>.jpg

2021-09-08 23:42:05,554 [ZAP-PassiveScanner] DEBUG PassiveScanData - No Context found for: https://<an image>.jpg

2021-09-08 23:42:05,577 [ZAP-PassiveScanner] DEBUG ExtensionAntiCSRF - Found 2 forms

2021-09-08 23:42:05,577 [ZAP-PassiveScanner] DEBUG ExtensionAntiCSRF - Found 1 inputs

2021-09-08 23:42:05,579 [ZAP-PassiveScanner] DEBUG ExtensionAntiCSRF - Found 11 inputs

2021-09-08 23:42:05,649 [ZAP-ProxyThread-20066] DEBUG ExtensionReplacer - Add in request header: User-Agent : <custom user agent>

2021-09-08 23:42:05,650 [ZAP-ProxyThread-20066] DEBUG HttpSessionsSite - No session tokens for: www.googletagmanager.com:443

2021-09-08 23:42:05,969 [ZAP-ProxyThread-20066] DEBUG ExtensionReplacer - Ignore request rule Custom user-agent

2021-09-08 23:42:06,237 [ZAP-ProxyThread-20057] DEBUG ExtensionReplacer - Ignore request rule Custom user-agent

2021-09-08 23:42:06,919 [ZAP-ProxyThread-20012] DEBUG ExtensionReplacer - Ignore request rule Custom user-agent

Perhaps Java crashed?

This is my version of Java:

Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true

openjdk version "11.0.11" 2021-04-20

OpenJDK Runtime Environment (build 11.0.11+9-post-Debian-1)

OpenJDK 64-Bit Server VM (build 11.0.11+9-post-Debian-1, mixed mode, sharing)

Any ideas? It would be great if I could run the DOM XSS scan rules.

Many thanks!

[thc...@gmail.com]

What do you mean by crash?

Best regards.

[Mewzer]

I left the ZAP GUI running overnight and it had disappeared / exited by the morning - so I assume it crashed.

If all works well, the GUI stays up on my screen.

[thc...@gmail.com]

Sounds like it was killed rather than crashed.

A JVM crash normally leaves a log file with the details.


The ZAP log excerpt provided does not show anything wrong.

Best regards.

[Mewzer]

OK - so why would it be killed? Perhaps the OS is killing it as it is running out of memory or something?

Any idea how I can work out how to stop it from being killed?

[Mewzer]

Perhaps this would be useful? https://backdrift.org/oom-killer-how-to-create-oom-exclusions-in-linux

Stop the OOM killer from targeting the Zap process?

[thc...@gmail.com]

Yes, worth checking that.

Best regards.

[Mewzer]

Thank you!

I did sudo journalctl -xb and can see that the OOM killer did in fact run around the time that ZAP exited, so it was probably that!

I am running ZAP on a Kali Linux VM with 16GB of memory allocated to it though.

Will look in increasing the VM memory allocation and doing an OOM exclusion.

[Mewzer]

Hmm, I increased the VM memory to 21GB and it happened again ...

sudo journalctl -xb

kernel: Out of memory: Killed process 1191 (java) total-vm:10426596kB, anon-rss:2107068kB, file-rss:0kB, shmem-rss:3076kB, UID:1000 pgtables:4944kB oom_score_adj:0

[thc...@gmail.com]

What if you limit the memory that ZAP can use?
https://www.zaproxy.org/docs/desktop/ui/dialogs/options/jvm/

Best regards.

[Mewzer]

Thank you - will give that a go!

[Mewzer]

Limiting the JVM memory didn't work, but I decided not to run ZAP in a VM and it all worked fine - thanks!

[thc...@gmail.com]

Thanks for letting us know.

Best regards.