ZAP active scan is taking way to long time

[Partha Pratim Dutta]

Hi,

I have recorded a passive script using ZAP 2.11.1 and then started the Active Scan using ZAP-Jenkins plugin.

However, after running for 47%, now the ZAP script execution is still at 48% even after 12hours, while trying to scan the same rule.

[ZAP Jenkins Plugin] ACTIVE SCAN STATUS [ 48% ] 95407347 [HSQLDB Timer @72445aba] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - Checkpoint start 95407347 [HSQLDB Timer @72445aba] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - checkpointClose start 95407347 [HSQLDB Timer @72445aba] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - checkpointClose synched 95407347 [HSQLDB Timer @72445aba] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - checkpointClose script done 95407347 [HSQLDB Timer @72445aba] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache commit start 95407669 [HSQLDB Timer @72445aba] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache commit end 95407690 [HSQLDB Timer @72445aba] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - checkpointClose end 95407691 [HSQLDB Timer @72445aba] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - Checkpoint end - txts: 1609144165 95426414 [ZAP-ActiveScanner-1] WARN org.zaproxy.zap.extension.ascanrules.CommandInjectionScanRule - There is considerable lagging in connection response(s) which gives a standard deviation of 508.1704438473375ms on the sample set which is more than 500.0ms [ZAP Jenkins Plugin] ALERTS COUNT [ 1934 ] [ZAP Jenkins Plugin] MESSAGES COUNT [ 779858 ]

Please can you help me here, to suggest how to overcome this?

regards,

Partha

[kingthorin+owaspzap]

#1 Passive script rules have no impact on Active scanning, these are totally different things.

#2 If you have 1934 alerts and ~780,000 messages sent over 12 hours you probably need to do something to optimize your scan.

https://www.zaproxy.org/faq/how-can-you-speed-up-scans/

[Partha Pratim Dutta]

I cross-checked about the optimization suggestions, looks good.

However, the active scan is still getting stuck at the same check "org.zaproxy.zap.extension.ascanrules.CommandInjectionScanRule"

[ZAP Jenkins Plugin] ACTIVE SCAN STATUS [ 48% ] [ZAP Jenkins Plugin] ALERTS COUNT [ 866 ] [ZAP Jenkins Plugin] MESSAGES COUNT [ 167123 ] 51407637 [ZAP-ActiveScanner-0] WARN org.zaproxy.zap.extension.ascanrules.CommandInjectionScanRule - There is considerable lagging in connection response(s) which gives a standard deviation of 963.183066217227ms on the sample set which is more than 500.0ms

When I compared the logs of my last successful ZAP run , I don't see the above check CommandInjectionScanRule.

What does it mean, when it says "There is considerable lagging in connection response(s) which gives a standard deviation of 963.183066217227ms on the sample set which is more than 500.0ms"?

How to overcome that, why the scan is keep checking for the same again and again, instead of moving out of this infinite loop? Is there a way to handle this from my side, please suggest.

regards,

Partha

[kingthorin+owaspzap]

The code is Open Source if you want to have a look and understand it specifically: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRule.java

As for skipping it you can open the scan progress dialog and hit the skip button.

You can also create an Active Scan policy that simply excludes the rule.

https://www.zaproxy.org/docs/desktop/ui/tabs/ascan/

https://www.zaproxy.org/docs/desktop/ui/dialogs/scanprogress/

https://www.zaproxy.org/docs/desktop/start/features/scanpolicy/