ZAP full-scan "Cross Site Scripting (DOM Based)" slowness when headless

[Dan Gravell]

I've been using ZAP inside Docker. Thank you for this excellent tool.

I first used ZAP with the webswing UI as documented here: https://www.zaproxy.org/docs/docker/webswing/ . When I run an active scan there it takes maybe an hour or so.

I created contexts and a config file to replicate the scan when running from the command line, so I can automate it.

When I run the zap-full-scan as documented at https://www.zaproxy.org/docs/docker/full-scan/ it starts fine, but "Cross Site Scripting (DOM Based)" is taking hours and hours on its own. It's currently just over 50% through after six hours.

The command I'm using is:

docker run -v $(pwd):/zap/wrk/:rw -t ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py -n tests/security/zap/Authentication-Test.context -c tests/security/zap/zap-casa-config.conf -t https://mysite.com -r zap-session/report.html -U te...@mysite.com -m 1

Authentication-Test.context is a context file created by the webswing UI.

zap-casa-config.conf is my config file for rule enablement. This is the default one generated by -g although I have also IGNOREd "XML External Entity Attack" because I found this to be slow in webswing.

Is there a way of finding out why this discrepancy exists?

Maybe it's the zap-full-scan that is working correctly, and when running under Webswing it wasn't running properly!

Dan

[Dan Kegel]

Might be worth checking whether docker is starved for cpu or ram.

(e.g. you could compare the output of top when running without docker to the output of top inside docker, though that can be a little tricky.)

[Dan Gravell]

I'm running both methods via Docker though...

But it does feel a little starved of CPU when running...

[Simon Bennetts]

FYI the DOM XSS scan rules works a bit differently to the other active scan rules.

Instead of making direct requests it launches browsers and uses those to make the requests.

This does mean it will take much longer and require more memory - browsers are resourse hogs ;)

I'm surprised that the XML External Entity Attack rule runs slowly for you - this should only run against XML requests.

Is your app making a lot of those?

Cheers,

Simon

[Dan Gravell]

Thanks for answering - sorry I only just saw this because the notification was spam filtered.

I guess I was surprised because of the difference with the DOM XSS rule between running it via webswing and running it headless (if that's the correct term for this setup). 

How can I get a feel as to how long this "should" take? I think it only took about 20-30 mins in the webswing container (for that rule only). As I wrote before, it looks more like half a day when run from zap-full-scan.py.

We don't make many XML requests, no. You got me half wondering if I'm mixing these up, but looking at the config I don't think that's the case.

Dan

[Simon Bennetts]

Its really difficult to tell, but 30 mins -> half a day is very surprising.

Have you checked the zap.log file for errors?

https://www.zaproxy.org/faq/somethings-not-working-what-should-i-do/#check-the-log-file

Cheers,

Simon

[Dan Gravell]

Thanks, I'll try that.