How to run ZAP on the OWASP benchmark
204 views
Skip to first unread message
Gary Gilbreath
Jul 3, 2017, 1:48:51 PM7/3/17
to OWASP ZAP User Group
I have attempted to run ZAP 2.6.0 against the OWASP benchmark (checked out from git as of 30 Jun 2017) but have been unsuccessful so far.
On Windows, ZAP completes its scan but only rates 5% on the scorecard, not the 20% I was expecting. I noticed that there are many Java stack traces generated in the benchmark while the scan is running. Also, the ZAP scan pauses for a long time at 69%, but it does eventually continue. This was on a machine with 32 GB of RAM with Java 1.8.0_131 64-bit installed.
On Red Hat 7.3, the scan gets to 69% and hangs. This was on a VM with 16 GB of RAM, also with Java 1.8.0_131. The benchmark console also shows a bunch of Java stack traces.
In both cases, ZAP and the benchmark were being run on the same machine. Also, I just did the Quick Start Attack, I didn't do any additional configuration.
Is there some special configuration required of ZAP to get it to score 20% on the benchmark?
Why does it hang at 69% on Linux?
Gary Gilbreath
Jul 3, 2017, 5:21:03 PM7/3/17
to OWASP ZAP User Group
I ran it a second time on RHEL and this time it got past 69% and completed the entire scan. However, the scorecard was 8.02%. So, better than Windows, but still nowhere close to 20%.
thc...@gmail.com
Jul 3, 2017, 5:30:34 PM7/3/17
to zaprox...@googlegroups.com
Hi.
With which scanners and options are you running the active scanner? You
might need to enable a couple of input vectors and install some add-ons
to increase the score.
(I didn't try latest OWASP Benchmark version/revision so not sure if
that makes a difference, it did in past versions.)
> Why does it hang at 69% on Linux?
Did the UI freeze? Could you provide more details? (Without more details
(e.g. zap.log, thread dump) it's hard to know.)
Best regards.
With which scanners and options are you running the active scanner? You
might need to enable a couple of input vectors and install some add-ons
to increase the score.
(I didn't try latest OWASP Benchmark version/revision so not sure if
that makes a difference, it did in past versions.)
> Why does it hang at 69% on Linux?
(e.g. zap.log, thread dump) it's hard to know.)
Best regards.
Gary Gilbreath
Jul 3, 2017, 6:28:38 PM7/3/17
to OWASP ZAP User Group
Thanks for the response.
I did a fresh install, entered the URL in the "URL to attack" field, then hit the "Attack" button. So, I ran defaults for everything.
On the Active Scan dialog's "Input Vectors" tab, only "URL Query String" and "POST Data" were checked from the "Injectable Targets" column. Everything in the "Builtin-in Input Vector handlers" column was checked.
I made no changes to the "Custom Vectors" tab.
On the "Technology" tab everything was checked.
I didn't change anything on the "Policy" tab either. Everything there was at the default settings.
I looked at the Add-ons listed in the Marketplace but none of them seemed like they'd increase the score.
Do you have any suggestions for Add-ons or scan options?
Reply all
Reply to author
Forward
0 new messages