Time taken for zap scan

65 views
Skip to first unread message

Ajay Aneja

unread,
Oct 9, 2024, 2:38:30 AMOct 9
to ZAP User Group
Hi,

We have been running the Zap Scan on our application (microservices APIs) via the gitlab pipeline. Off late the time taken for zap to complete has increased tremendously.

We need help to resolve this as we are unable to generate any VA reports for assessment of new APIs being offered.

The steps we take to execute the zap scan are as under:

1. We build our application docker images 

 2. We run start up the zap docker image 

3. Subsequently, we start the application in a separate minikube VM and configure the zap proxy details and run our FT regression test suite with proxy enabled for zaproxy.

 4. This allows zap to collect all the URLs. At present we have around 251 URLs that serve as end points

5. After the URLs have been collected we run the active scan on these URLS.

6. It has been our observation that even after 20 hours only 33% scan is completed 

We have tried reducing the number of URLS to even 25 and then test the scan, But even for the reduced number of URLs the time being taken is the same.

We are running on the default policy
we have tried to reduce the technologies that are being tested,
we have also tried to increase the number of threads per hosts to 128 also, but to no avail.

Is there something we are missing or interpreting incorrectly. Also if any further details are needed we can share the same.

Please let us know, it is highly appreciated.

Thank you.

Simon Bennetts

unread,
Oct 9, 2024, 9:42:16 AMOct 9
to ZAP User Group
You will need to work out what is taking so long.

Cheers,

Simon

Ajay Aneja

unread,
Oct 24, 2024, 10:53:34 PMOct 24
to ZAP User Group
I notice that my session.data file is over 90Gb in size, while the scan is only 30% complete in about 48 hours. could that be a factor in slowing down the scan?
Is there any ways this can be reduced,

Simon Bennetts

unread,
Oct 25, 2024, 4:38:39 AMOct 25
to ZAP User Group
I would say that was a symptom rather than the cause :)
In addition to the link I shared earlier, also have a look at https://www.zaproxy.org/faq/how-can-you-speed-up-scans/

Cheers,

Simon

Ajay Aneja

unread,
Oct 28, 2024, 1:02:56 AMOct 28
to ZAP User Group
Hi,
I have gone through the links that you have mentioned, one are I feel we can improve is the url structuring and flagging as data node,

We run our regression tests with Zap in attack mode to collect all the URLS, so there are a lot of similar request with error and success cases. These hold good for POST, PUT, DELETE and GET methods. So similar URLs with different payload are perhaps being treated as separate URLs. 
Also going through the documentation I am unable to figure out how to flag data nodes, via curl. We are using the docker image to run the zap scan.
Any help, will be much appreciated,

Thanks,
Reply all
Reply to author
Forward
0 new messages