ZAP Active Scan stuck when importing openAPI file

[Xiaofan Zhang]

Hi, I'm using ZAP for a DAST PoC. Before I import the openAPI setting files, ZAP works well, I can use either Desktop UI or configure automation framework plan and run with docker. 

However, I tried to integrate our OpenAPI setting into the configuration. I noticed the scanning was stuck in active scanner, literally the first directory traversal job. 

It sends 10000 requests in 8 hrs, and in the screenshot, it takes several minute to send only one request. 

Checked my active scan setting, delay when scanning is set to 0; max results to list is set to 500; no throttling from the server side. Actually, it works perfect before I import the OpenAPI file.

Not sure why adding OpenAPI config will make such a big difference, and don't know to how to progress with meanwhile integrating API settings. Would appreciate if you could help me with that.

[Simon Bennetts]

Run the scan again, and then when ZAP slows down try to access the target app directly, eg via your browser.

Also try to access the target from the command line on the machine running ZAP, e.g. using curl.

There are a couple of possibilities that spring to mind:

• The target app is overloaded and therefore responding really slowly
• A network appliance is throttling ZAP
  

If either of those are happening then I would expect one or both of the manual rerquests you try to take a long time to run.

If they complete quickly then have a look in the zap.log file:

https://www.zaproxy.org/faq/somethings-not-working-what-should-i-do/#check-the-log-file

Are there any errors being logged?

Cheers,

Simon