Active Scan suddenly stalls: DomXssScanRule & scanner.HostProcess

[Mark Schulze]

Hello,

I'm a first time ZAP user and managed to create a context file for my local webapp, with a user login and deactivated rate limiting for this user, so ZAP can do whatever it wants.

I made a regular spider and then an active scan. Before I was running out of disk space but then I started ZAP via terminal with the -dir directive so that problem was solved by letting it create the home folder on a bigger disk.

However, the active scan stalls at 37 % every time. When looking at the terminal there are two typical messages coming all the time, but very slowly.

I paste an excerpt here:

81124768 [Thread-31536] INFO  org.zaproxy.zap.extension.domxss.DomXssScanRule - Reaper thread starting

81159821 [ZAP-DomXssReaper] INFO org.zaproxy.zap.extension.domxss.DomXssScanRule - Reaper thread exiting 0

81304771 [ZAP-Scanner-0] WARN  org.parosproxy.paros.core.scanner.HostProcess - Failed to obtain the HTTP response for href [id=5408, type=0, URL=http://127.0.0.1:5005/tasks/43/evidence]: Timeout deadline: 180000 MILLISECONDS, actual: 180003 MILLISECONDS

81484793 [ZAP-Scanner-0] WARN  org.parosproxy.paros.core.scanner.HostProcess - Failed to obtain the HTTP response for href [id=5488, type=0, URL=http://127.0.0.1:5005/tasks/43/export]: Timeout deadline: 180000 MILLISECONDS, actual: 180007 MILLISECONDS

81484818 [Thread-31538] INFO  org.zaproxy.zap.extension.domxss.DomXssScanRule - Reaper thread starting

81519859 [ZAP-DomXssReaper] INFO  org.zaproxy.zap.extension.domxss.DomXssScanRule - Reaper thread exiting 0

81664838 [ZAP-Scanner-0] WARN  org.parosproxy.paros.core.scanner.HostProcess - Failed to obtain the HTTP response for href [id=5693, type=0, URL=http://127.0.0.1:5005/tasks/44/comments]: Timeout deadline: 180000 MILLISECONDS, actual: 180007 MILLISECONDS

81844889 [ZAP-Scanner-0] WARN  org.parosproxy.paros.core.scanner.HostProcess - Failed to obtain the HTTP response for href [id=5701, type=0, URL=http://127.0.0.1:5005/tasks/44/comments/86]: Timeout deadline: 180000 MILLISECONDS, actual: 180004 MILLISECONDS

82025001 [ZAP-Scanner-0] WARN  org.parosproxy.paros.core.scanner.HostProcess - Failed to obtain the HTTP response for href [id=5694, type=0, URL=http://127.0.0.1:5005/tasks/44/comments/87]: Timeout deadline: 180000 MILLISECONDS, actual: 180004 MILLISECONDS

82025039 [Thread-31541] INFO  org.zaproxy.zap.extension.domxss.DomXssScanRule - Reaper thread starting

82055092 [ZAP-DomXssReaper] INFO  org.zaproxy.zap.extension.domxss.DomXssScanRule - Reaper thread exiting 0

82205049 [ZAP-Scanner-0] WARN  org.parosproxy.paros.core.scanner.HostProcess - Failed to obtain the HTTP response for href [id=5702, type=0, URL=http://127.0.0.1:5005/tasks/44/evidence]: Timeout deadline: 180000 MILLISECONDS, actual: 180007 MILLISECONDS

82385335 [ZAP-Scanner-0] WARN  org.parosproxy.paros.core.scanner.HostProcess - Failed to obtain the HTTP response for href [id=5710, type=0, URL=http://127.0.0.1:5005/tasks/44/export]: Timeout deadline: 180000 MILLISECONDS, actual: 180005 MILLISECONDS

82385336 [Thread-31543] INFO  org.zaproxy.zap.extension.domxss.DomXssScanRule - Reaper thread starting

82420382 [ZAP-DomXssReaper] INFO  org.zaproxy.zap.extension.domxss.DomXssScanRule - Reaper thread exiting 0

82565719 [ZAP-Scanner-0] WARN  org.parosproxy.paros.core.scanner.HostProcess - Failed to obtain the HTTP response for href [id=5764, type=0, URL=http://127.0.0.1:5005/tasks/45/comments]: Timeout deadline: 180000 MILLISECONDS, actual: 180006 MILLISECONDS

82745723 [ZAP-Scanner-0] WARN  org.parosproxy.paros.core.scanner.HostProcess - Failed to obtain the HTTP response for href [id=5765, type=0, URL=http://127.0.0.1:5005/tasks/45/comments/88]: Timeout deadline: 180000 MILLISECONDS, actual: 180000 MILLISECONDS

82745745 [Thread-31546] INFO  org.zaproxy.zap.extension.domxss.DomXssScanRule - Reaper thread starting

82780782 [ZAP-DomXssReaper] INFO  org.zaproxy.zap.extension.domxss.DomXssScanRule - Reaper thread exiting 0

82925751 [ZAP-Scanner-0] WARN  org.parosproxy.paros.core.scanner.HostProcess - Failed to obtain the HTTP response for href [id=5676, type=0, URL=http://127.0.0.1:5005/tasks/45/evidence]: Timeout deadline: 180000 MILLISECONDS, actual: 180006 MILLISECONDS

83105756 [ZAP-Scanner-0] WARN  org.parosproxy.paros.core.scanner.HostProcess - Failed to obtain the HTTP response for href [id=5753, type=0, URL=http://127.0.0.1:5005/tasks/45/export]: Timeout deadline: 180000 MILLISECONDS, actual: 180005 MILLISECONDS

83105756 [Thread-31548] INFO  org.zaproxy.zap.extension.domxss.DomXssScanRule - Reaper thread starting

83140791 [ZAP-DomXssReaper] INFO  org.zaproxy.zap.extension.domxss.DomXssScanRule - Reaper thread exiting 0

83285804 [ZAP-Scanner-0] WARN  org.parosproxy.paros.core.scanner.HostProcess - Failed to obtain the HTTP response for href [id=4229, type=0, URL=http://127.0.0.1:5005/tasks/46/comments]: Timeout deadline: 180000 MILLISECONDS, actual: 180007 MILLISECONDS

83465813 [ZAP-Scanner-0] WARN  org.parosproxy.paros.core.scanner.HostProcess - Failed to obtain the HTTP response for href [id=4230, type=0, URL=http://127.0.0.1:5005/tasks/46/comments/89]: Timeout deadline: 180000 MILLISECONDS, actual: 180007 MILLISECONDS

This has been running for 10 hours now, only doing one route after the other.

Is there something I can do to let it run faster?

I'm on macOS 14.5 on Intel i7.

Thank you, 

Mark

[Simon Bennetts]

Hiya Mark,

Thats really strange - we've not seen that before.

Is the target app responding quickly, e.g. if you access it via another tool like curl from the same machine that ZAP is running on?

Could there be a WAF or similar thats ratelimiting the commenctions?

Cheers,

Simon

[Mark Schulze]

Hi Simon, thanks for the quick reply. 

I let an AI check for this and this is the response:

Summary for ZAP support

The Flask app responds correctly and quickly:

Test Result

Single request ~2ms

50 sequential requests 613ms (total)

Apache Bench (100 req, 10 concurrent) 489 req/s, 0 errors

With ZAP User-Agent ~2ms, HTTP 200

No rate limiting: ZAP User-Agent is recognized and exempt from rate limits.

No WAF or firewall: Server runs directly on localhost.

Possible causes for the ZAP problem:

DOM XSS Scanner - The “Reaper thread” messages indicate that ZAP launches a browser (presumably headless) for DOM XSS testing, which may hang.

Socket.IO/WebSocket - The app uses WebSockets for real-time features, which may confuse ZAP.

ZAP connection pool exhaustion - With many parallel requests, ZAP could exhaust its own connections

Recommendation for ZAP:

Disable DOM XSS scanner or reduce timeout

Exclude WebSocket endpoints (/socket.io/) from scans

Configure ZAP with more threads/connections

Question: 

Should I see a browser window opening while running the test? 

Because I don't.

With Manual Explore it opens though.

Thx!

[Simon Bennetts]

Hiya,

By default the DOM-XSS rule will use "firefox-headless" so you will not see the browser.

However you can change that (e.g. to "firefox") via Options / RuleVonfiguration / rules.domxss.browserid

You should then see Firefox open and will be able to see what its doing.

If you can create a cut down version of your app which you can share and that still exhibits the same problem then we can try it out ...

Cheers,

Simon

[Mark Schulze]

Hi Simon,

I'm not sure what to strip down of the app to be honest and since it's a pretty standard Flask app, I think it would be reasonable to share it fully with Demo data.

However, I'd rather send the link directly if possible. Can you share an E-Mail address where I can send the link?

Thank you!

BR Mark

[Mark Schulze]

Hi Simon,

so I switched the browser to chrome instead of firefox-headless and the test went through 100%. 

Personally, my needs are covered now. 

In case you'd like to debug the error still, I'd provide the app.

Best,

Mark