Zap scan got stuck at 56%

[Abhishek Mathur]

We have execute Zap scan on EC2 instance for our each release and we have used Week Zap docker image. Earlier it was working fine for same set of sites. But from last one month It got stuck on 56%.

After our initial research, we have upgrade our docker machine instances but still it was stuck around 56-57%. 

Eventually sometimes its running fast and completed in 70 mins only.

OS: Linux  

[Simon Bennetts]

What sort of scan are you running - baseline, API or full?

If its a full scan then the first thing I'd try is to disable the DOM XSS active scan rule - we know this takes longer than the other rules.

Let us know how you get on - we will want to identify and then fix whatever is causing your problem.

Cheers,

Simon

[Abhishek Mathur]

Hello Simon, As of now I am not sure which type of scanning it is but I believe there are two type of scanning and here we have used Active scanning. Right now I have few  things which I want to share with you may be its fruitful for any conclusion:

1. Scanning always stuck in CST peak hrs While most of the time it executed successfully during off peak hrs (around 10:30 pm TO 3:00 am) according to CST time zone.

2. As I already mentioned, we have used Week Zap docker image. Do you think so, Is it somehow give impact means I have verified earlier that when scanning got failed then it  was failed around whole week.

3. I noticed its pattern that when scanning was performed very fast then it will take around 1 hours only while it was running slow then for each percent of scanning it was taking a lot time. So that it will not complete even in 4 hours and stuck at 56% always.

Thanks

[Simon Bennetts]

Can you run the scans manually using the ZAP Desktop, just to help diagnose whats going on? That will make things much easier.

In any case, when the scan appears to get stuck check to see if the application is actually responding - its not that unusual for ZAP to overload an application and cause it to hang...

Cheers,

Simon

[Abhishek Mathur]

We have run Zap scan through our Gitlab pipelines. During testing through CICD we have created AWS environment onto which it executed. I have tried to increase instance capacity as I though it was due to resource allocation but it won't work.

So its by default run through pipelines in case it got failed then we try to run same job in OFF peak hrs also.

[Abhishek Mathur]

Hey Simon, waiting for your input.

[kingthorin+owaspzap]

> Hey Simon, waiting for your input.

Welcome to Open Source. Being impatient with volunteers isn't exactly ingratiating.

Simon has suggested a number of things you haven't addressed.

1) Disable the DOM XSS rule.

2) Try running things manually via ZAP Desktop so you have greater visibility/insight.

[Simon Bennetts]

Couldnt have put it better my self :P

If you hadnt noticed we were very busy with ZAPCon, so lots of things had to take a back seat.

Even though you have to run your scans in Gitlab pipelines you can still run them locally using the ZAP desktop to help you diagnose problems, so that would be the first thing I would do.

You also havnt told us how the jobs fail. Are any errors logged in the zap.log file https://www.zaproxy.org/faq/somethings-not-working-what-should-i-do/#check-the-log-file or do you get any other errors from the pipeline?

[Abhishek Mathur]

Hi Simon, I am looking forward in order to diagnose those ZAP GUI and yes, I have also joined ZAPCon session & it was wonderful & very informative session.

[Abhishek Mathur]

Hello I have tried to run with ZAP GUI and its running without any error but still I getting same error when scanning hang on 56%. Please tell me how to disable DOM XSS active scan rule?

[kingthorin+owaspzap]

Just disable it in your scan policy like you would for any scan rule.

[Abhishek Mathur]

I am using Weekly docker image and run Zap scan with command line.

One more thing, how to create DOM XSS rule / policy, so that I will use it in ZAP GUI as well.

[Simon Bennetts]

As the DOM XSS rule is in its own add-on you can just uninstall it.

That can be done from the command line using: "-addonuninstall domxss"

But for more information about scan policies see https://www.zaproxy.org/docs/desktop/start/features/scanpolicy/