Bad performance and ZAP beeing very slow on forced browsing
62 views
Skip to first unread message
chris perst
Aug 18, 2025, 9:06:38 AMAug 18
to ZAP User Group
Hi ZAP team,
I have a zap installation and a docker OWASP Juice Shop.
After running a ajax spider and starting a forced browsing, the CPU goes up, but zap isn't really doing anything, at least it seams so. After some minutes I stopped the forced browsing.
Lines of the log in debug mode:
2025-08-18 14:46:41,983 [ZAP-AjaxSpider] INFO SpiderThread - Finished Crawljax: http://localhost:3000
2025-08-18 14:47:00,486 [Thread-108] INFO Manager - Starting dir/file list based brute forcing
2025-08-18 14:51:06,504 [Thread-108] INFO Manager - DirBuster Stopped
2025-08-18 14:51:07,504 [Thread-108] INFO BruteForce - BruteForce: http://localhost:3000 finished
2025-08-18 14:47:00,486 [Thread-108] INFO Manager - Starting dir/file list based brute forcing
2025-08-18 14:51:06,504 [Thread-108] INFO Manager - DirBuster Stopped
2025-08-18 14:51:07,504 [Thread-108] INFO BruteForce - BruteForce: http://localhost:3000 finished
As you can see from the screenshot zap do not seem to be very busy here.
Since there aren't any hints in the debug log, what can I do to troubleshoot this?
Chris
chris perst
Aug 18, 2025, 9:12:24 AMAug 18
to ZAP User Group
Forgot to add top:
top - 14:51:09 up 1:54, 1 user, load average: 7,89, 6,06, 7,45
Tasks: 488 gesamt, 1 laufend, 486 schlafend, 0 gestoppt, 1 Zombie
%CPU(s): 35,7 us, 0,5 sy, 0,0 ni, 63,7 id, 0,1 wa, 0,0 hi, 0,0 si, 0,0 st
MiB Spch : 47853,7 total, 31291,9 free, 8435,9 used, 8203,9 buff/cache
MiB Swap: 8192,0 total, 8192,0 free, 0,0 used. 39417,9 avail Spch
PID USER PR NI VIRT RES SHR S %CPU %MEM ZEIT+ BEFEHL
32155 chris 20 0 21,9g 3,2g 96404 S 559,1 7,0 35:34.19 java
Tasks: 488 gesamt, 1 laufend, 486 schlafend, 0 gestoppt, 1 Zombie
%CPU(s): 35,7 us, 0,5 sy, 0,0 ni, 63,7 id, 0,1 wa, 0,0 hi, 0,0 si, 0,0 st
MiB Spch : 47853,7 total, 31291,9 free, 8435,9 used, 8203,9 buff/cache
MiB Swap: 8192,0 total, 8192,0 free, 0,0 used. 39417,9 avail Spch
PID USER PR NI VIRT RES SHR S %CPU %MEM ZEIT+ BEFEHL
32155 chris 20 0 21,9g 3,2g 96404 S 559,1 7,0 35:34.19 java
chris perst
Aug 19, 2025, 9:57:49 AMAug 19
to ZAP User Group
If I run the ZAP's forced browsing against a DVWA (docker install), this works. Get tousends of requests per second, with 8 concurrent scans. load average is about 1.
If I run dirb (common.txt wordlist, 4612 entries) against Juice Shop this works. Lasts for 17 sec (no concurrent scans). load average: is about 1
If I run dirb (ZAP's wordlist directory-list-1.0.txt) against Juice Shop after about 14k trials the Juice Shop throws an error: FATAL ERROR: Ineffective mark-compacts near heap limit Allocation failed - JavaScript heap out of memory. load average: is about 2
If I run the 4612 list of words with ZAP I get the same behaviour, high load and low requests (about 1 to 4 per second).
Output of ZAP:
7531 [AWT-EventQueue-0] INFO org.parosproxy.paros.control.Control - New Session
7535 [AWT-EventQueue-0] INFO org.parosproxy.paros.control.Control - Create and Open Untitled Db
29468 [Thread-16] INFO com.sittinglittleduck.DirBuster.Manager - Starting dir/file list based brute forcing
[Fatal Error] :1:1: Content is not allowed in prolog.
32629 [ZAP-IO-Server-1-2] WARN org.zaproxy.addon.network.internal.server.http.handlers.HttpSenderHandler - Failed to read http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PZ2burw&sid=gvpGIlViu7TdRKojAAAC within 20 seconds, check to see if the site is available and if so consider adjusting ZAP's read time out in the Connection options panel.
[Fatal Error] :1:1: Content is not allowed in prolog.
[Fatal Error] :1:1: Content is not allowed in prolog.
[Fatal Error] :1:1: Content is not allowed in prolog.
92475 [Thread-16] INFO com.sittinglittleduck.DirBuster.Manager - DirBuster Stopped
93476 [Thread-16] INFO org.zaproxy.zap.extension.bruteforce.BruteForce - BruteForce: http://localhost:3000 finished
7535 [AWT-EventQueue-0] INFO org.parosproxy.paros.control.Control - Create and Open Untitled Db
29468 [Thread-16] INFO com.sittinglittleduck.DirBuster.Manager - Starting dir/file list based brute forcing
[Fatal Error] :1:1: Content is not allowed in prolog.
32629 [ZAP-IO-Server-1-2] WARN org.zaproxy.addon.network.internal.server.http.handlers.HttpSenderHandler - Failed to read http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PZ2burw&sid=gvpGIlViu7TdRKojAAAC within 20 seconds, check to see if the site is available and if so consider adjusting ZAP's read time out in the Connection options panel.
[Fatal Error] :1:1: Content is not allowed in prolog.
[Fatal Error] :1:1: Content is not allowed in prolog.
[Fatal Error] :1:1: Content is not allowed in prolog.
92475 [Thread-16] INFO com.sittinglittleduck.DirBuster.Manager - DirBuster Stopped
93476 [Thread-16] INFO org.zaproxy.zap.extension.bruteforce.BruteForce - BruteForce: http://localhost:3000 finished
Since the
[Fatal Error] :1:1: Content is not allowed in prolog.
[Fatal Error] :1:1: Content is not allowed in prolog.
are still comming with the rate about one per 10-20 sec. I guess this isn't the problem.
Simon Bennetts
Aug 22, 2025, 10:32:00 AMAug 22
to ZAP User Group
Hiya Chris,
Thanks for reporting this.
We've had a look and found a performance issue in the original dirbuster code and are working on a fix.
With the initial fix we have in place it doesnt take long for ZAP to kill Juice Shop with a "JavaScript heap out of memory" error :D
Many thanks,
Simon
chris perst
Aug 22, 2025, 10:55:51 AMAug 22
to ZAP User Group
Thanks Simon. Great work,
Chris
psiinon
Aug 27, 2025, 1:18:02 PMAug 27
to zaprox...@googlegroups.com
Hi Chris
The Forced Browse add-on with the performance fix has just been released.
Try it out and let us know how you get on!
Cheers,
Simon
ZAP Project leader
--
ZAP by Checkmarx: https://www.zaproxy.org/
---
You received this message because you are subscribed to the Google Groups "ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/zaproxy-users/2ff685de-5112-4630-8faa-56feff90177an%40googlegroups.com.
chris perst
Aug 28, 2025, 3:24:23 AMAug 28
to ZAP User Group
Hi Simon,
yes, works.
Got several thousands of requests in a few minutes. Tried with 8 parallel requests and got an avg. load is on 4, which is fine. ZAP's default wordlist directory-list-1.0.txt should be done in roughly 1,5 hours (calulated from the progress bar).
Got several thousands of requests in a few minutes. Tried with 8 parallel requests and got an avg. load is on 4, which is fine. ZAP's default wordlist directory-list-1.0.txt should be done in roughly 1,5 hours (calulated from the progress bar).
Cheers,
Chris
Reply all
Reply to author
Forward
0 new messages