ZAP Plugin Spider scan Struck at 99 percent ?

[ktpen...@gmail.com]

HI,

I had configured the official OWASP Zap Plugin job in jenkins, Spider scan was going good till 99 percent  but spider scan was struck @99% for 24 hours the scan is not going to end and unable to fetch reports looks like there is loop getting started before the spider scan ends 

Thanks in advance 

TARUN.K

[hauschu...@gmail.com]

there are some existing issues that sound similar...have you tried increasing the data cache size limit? 

https://github.com/zaproxy/zaproxy/issues/4428

or

https://github.com/zaproxy/zaproxy/issues/3946

[ktpen...@gmail.com]

Hi, 

I have already increased the datacache size limit to 100000 so that i have crossed exceptions expecting same behaviour Struck at 99%

Thanks 

TARUN.K

[thc...@gmail.com]

Which ZAP version are you using?

It could also be: https://github.com/zaproxy/zaproxy/issues/4462

If you are able to consistently reproduce the issue I'd suggest enabling
ZAP's debug log for the spider/API and then provide an excerpt (job
output should have ZAP's log), to check what's going on.

To enable the log add the following lines to the log4j.properties file
located in ZAP's home dir. [1]

log4j.logger.org.zaproxy.zap.extension.api=DEBUG
log4j.logger.org.zaproxy.zap.extension.spider=DEBUG
log4j.logger.org.zaproxy.zap.spider=DEBUG



[1] https://github.com/zaproxy/zaproxy/wiki/FAQconfig

Best regards.

[R Gyan]

I am having the same issue. Will let u know if resolved. 

[ktpen...@gmail.com]

hi,

Zap version am Using is 2.7.0 

I have increased cache data size to cross exceptions and added debugger message in log4j properties 

This is where it was rendering back to back in my jenkins Continuously.  

<status>99</status>
[ZAP Jenkins Plugin] SPIDER SCAN STATUS [ 99% ]
1458908 [ZAP-ProxyThread-854] DEBUG org.zaproxy.zap.extension.api.API  - handleApiRequest http://zap/xml/core/view/numberOfAlerts/?baseurl=&apikey=ZAPROXY-PLUGIN&
1459349 [ZAP-ProxyThread-854] DEBUG org.zaproxy.zap.extension.api.API  - handleApiRequest returning: <?xml version="1.0" encoding="UTF-8" standalone="no"?><numberOfAlerts>2438</numberOfAlerts>

Thanks 

TARUN

[thc...@gmail.com]

Could you provide the last spider related logging as well? (Some before
starting giving just 99%)

Does the same happen when using ZAP without the Jenkins plugin?

Best regards.

On 26/10/2018 20:46, ktpen...@gmail.com wrote:
> hi,
>
> Zap version am Using is 2.7.0
>
> I have increased cache data size to cross exceptions and added debugger
> message in log4j properties
>
> This is where it was rendering back to back in my jenkins Continuously.
>

> *<status>99</status>

> [ZAP Jenkins Plugin] SPIDER SCAN STATUS [ 99% ]

> 1458908 [ZAP-ProxyThread-854] DEBUG org.zaproxy.zap.extension.api.API - handleApiRequest http://zap/xml/core/view/numberOfAlerts/?baseurl=&apikey=ZAPROXY-PLUGIN& <http://zap/xml/core/view/numberOfAlerts/?baseurl=&apikey=ZAPROXY-PLUGIN&>
> 1459349 [ZAP-ProxyThread-854] DEBUG org.zaproxy.zap.extension.api.API - handleApiRequest returning: <?xml version="1.0" encoding="UTF-8" standalone="no"?><numberOfAlerts>2438</numberOfAlerts>*

>
>
> Thanks
>
> TARUN
>
>
> On Friday, October 26, 2018 at 10:53:56 AM UTC-7, thc202 wrote:
>>
>> Which ZAP version are you using?
>>
>> It could also be: https://github.com/zaproxy/zaproxy/issues/4462
>>
>> If you are able to consistently reproduce the issue I'd suggest enabling
>> ZAP's debug log for the spider/API and then provide an excerpt (job
>> output should have ZAP's log), to check what's going on.
>>
>> To enable the log add the following lines to the log4j.properties file
>> located in ZAP's home dir. [1]
>>
>> log4j.logger.org.zaproxy.zap.extension.api=DEBUG
>> log4j.logger.org.zaproxy.zap.extension.spider=DEBUG
>> log4j.logger.org.zaproxy.zap.spider=DEBUG
>>
>>
>>
>> [1] https://github.com/zaproxy/zaproxy/wiki/FAQconfig
>>
>> Best regards.
>>

[ktpen...@gmail.com]

Hi,

I have decreased the Depth to 1 or 2 instead of keeping it 0 and Re-Initiated the scan its working fine for now able to see only headers information As of now... 

i think Decreasing the Depth is working good as of now i can see issue was resolved when depth as 1 or 2

Thanks 

TARUN

[thc...@gmail.com]

Would you mind trying the weekly release [1] with depth as 0? It would
be great to know if that issue was already fixed or not.

Also, could you provide more details of the site, does it have that many
pages/URls? Are pages created while spidering?


[1] https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly

Best regards.

On 26/10/2018 22:35, ktpen...@gmail.com wrote:
> Hi,
>

> I have decreased the Depth to 1 or 2 instead of keeping it 0 and
> Re-Initiated the scan its working fine for now able to see only headers
> information As of now...
>
> i think Decreasing the Depth is working good as of now i can see issue was
> resolved when depth as 1 or 2
>
> Thanks
> TARUN
>
> On Friday, October 26, 2018 at 12:46:52 PM UTC-7, ktpen...@gmail.com wrote:
>>
>> hi,
>>
>> Zap version am Using is 2.7.0
>>
>> I have increased cache data size to cross exceptions and added debugger
>> message in log4j properties
>>
>> This is where it was rendering back to back in my jenkins Continuously.
>>

>> *<status>99</status>

>> [ZAP Jenkins Plugin] SPIDER SCAN STATUS [ 99% ]

>> 1458908 [ZAP-ProxyThread-854] DEBUG org.zaproxy.zap.extension.api.API - handleApiRequest http://zap/xml/core/view/numberOfAlerts/?baseurl=&apikey=ZAPROXY-PLUGIN& <http://zap/xml/core/view/numberOfAlerts/?baseurl=&apikey=ZAPROXY-PLUGIN&>
>> 1459349 [ZAP-ProxyThread-854] DEBUG org.zaproxy.zap.extension.api.API - handleApiRequest returning: <?xml version="1.0" encoding="UTF-8" standalone="no"?><numberOfAlerts>2438</numberOfAlerts>*