Nothing works after update

[GoogleCodeExporter]

What steps will reproduce the problem?
1.Start ZAP
2.try using it
3.getting only a couple of ......

What is the expected output? What do you see instead?

After Update ZAP to latest Version yesterday D-2015-05-25 and run a Pen test i
wait since two weeks for my downtime to do that i get 2 GB shitstorm of Data 
not only
one Plugin was running at the Attack .
At active Scan Tab in the Process Window where normal all Plugins are is 
nothing others than Time .
When that Time slice is running active scanner crawls all URLs from that Site 
save hole shit local session become bigger and bigger the report is 300 mb html 
file no browser read that, pdf export crashes and so far and so far.

Two Weeks work for totally nothing

I try calling Plugins manual try making only a active scan same Issue only 
Spider and crawler are working hole rest produce unusable Data or does not 
running.

Proxy same Issue try ZAP in proxy Mode loading of Site goes in Timeout stop 
Proxy all works .

I don't know what is happened with the Update i do before my test but it is not 
usable and i loose so much time now that for me it was better buy a Pen test 
Tool than using Open Source here.

I can´t upload anything of that Session all was so big (too big for uploading) 
if i can give you maybe a special Logfile let me know what i should upload.

What version of the product are you using? On what operating system?

Mac OSx 10.10.3
ZAP D-2015-05-25

Please provide any additional information below.
I would give you the Session Files but they are too big and full of unusable 
things, i would paste the report but that Report was over 300 Mb 

best
Andre

Original issue reported on code.google.com by xee...@googlemail.com on 27 May 2015 at 8:21

[GoogleCodeExporter]

OK, first things first - the weekly releases are probably not the best ones to 
use for any testing thats really important to you - they are likely to be less 
stable that the full releases.
The is clearly stated on the downloads page:

"These are just intended for people who want to use all of the features we've 
added since the last 'full' release but dont want the hassle of building ZAP 
from the source code.
While we endeavor to ensure that weekly releases are robust, things may be 
broken or only partially implemented."

Secondly, if your scan is taking 2 weeks then you should re-evaluate what 
you're doing.
I wrote a blog post which may well help: 
https://blog.mozilla.org/security/2013/07/10/how-to-speed-up-owasp-zap-scans/
The automated tools are there to help you, but not to do your job for you.
If you run a commercial tool in the same way then you'll probably have similar 
problems - I know I did when I trialled a very expensive commercial tool a few 
years ago ;)
You should try to tune the automated scanning as per my blog post - if it is 
taking more than a few hours then you should look at what its doing and see if 
you can tune it to be more effective.

Finally, have a look in the zap.log file and let us know what errors are 
reported - we have a FAQ explaining the steps you can take here: 
https://code.google.com/p/zaproxy/wiki/FAQhelp

Feel free to start a more general thread on the ZAP user group about how to use 
ZAP in this sort of situation.

Original comment by psii...@gmail.com on 27 May 2015 at 8:45

[GoogleCodeExporter]

Hi
i used the Update in Help i am sure that in the Info somewhere is a Information 
about
not a stable status of the Version.
Every Time before i use ZAP all works and yesterday Night i got a Nightmare 
with it ;-)
I downgradet to latest Official version from Website but the Issues are same 
here many Hangs
if big Websites will be scanned i killed ZAP today (the stable version) round 
about 10 Times.

At the Moment i think ZAP is a Nice Tool for Specialists to scan small Parts of 
a Website and search
in Code or for developers they can check what they do.
But for Pen test of bigger Online Websites ZAP is not the right tool (now) 
maybe sometime it will be such a Tool
but for now it was it not.

A sample with full version start a session and after 3 Hours try save that to 
persistent than you see ZAP is hanging
i mean scan a Website where session File will become over 1 Gb of size not a 
Homepage of your self.

I be sure ZAP is a really cool Tool for doing smaller Things but for a 
automized Pen test is not stable enough.
And Session Files with 1 GB Size are my smaller ones mostly i get 2 GB and more.
We host over 200 Webservers and many more Vhosts some of them are Big Shop 
systems.

My Main problem is i can´t be beta tester for you on such Live systems and my 
private Homepage was scanned a
hundred times with ZAP without any Issues.

I have here now over 5 GB ZAP session Logfiles (full of Problems hangs and 
other issues from last night) and so far
i can Upload that somewhere if someone will have a closer Look at that Files 
but i can´t do a rescan with ZAP i need Reports afterScanning to solve some 
security Issues that i not get out of ZAP at this Time.

Thanks for Answering

best

Andre

Original comment by xee...@googlemail.com on 27 May 2015 at 4:36

[GoogleCodeExporter]

Have you had a look at the blog post I linked to before?
https://blog.mozilla.org/security/2013/07/10/how-to-speed-up-owasp-zap-scans/
ZAP can scan very large sites, but it will need some tuning.
This is especially true for data driven sites where there are a very large 
number of 'pages' that are in fact the same code but different dta from a db.
We are working on making ZAP much more scalable 
(http://zaproxy.blogspot.no/2015/05/zap-as-service-zaas.html) but even then 
tuning ZAP to understand your applications better will very likely make a 
significant difference to the time it takes to scan them.

Original comment by psii...@gmail.com on 28 May 2015 at 8:33

[GoogleCodeExporter]

Hi
many thanks for that i not see it in last Post.
Zaas looks very cool and is i hope much better for big Sites.
I will give it a try if it is ready for testing.

My Main problem with daemon mode is that Zap goes slower and slower
and some time it stops working.
A site with small to medium size is no Problem and Zap do a real good Job here
but now i should test our Main Sites (big shop Systems) and the normal simple 
Attack without
a active scann needs with 20 treads per Host (i test only one Host) round about 
7 hours for getting all pages
after that i have some Issues from the Attack Option but what i really want is 
a active scan with full
Settings and a High policy.

I try to put higher tread valves and a high profile settings but it was like in 
the Post you send me that are Data driven Sites
we sell Books and we sell many Books here ;-)

I use now the latest stable Version not the Weekly one and get better results 
when i cut a big scan from root of site to
some smaller ones, and will now try excluding the Data driven page creation i 
mean it was better checking the database
behind it than the created contend out of that Database.

My real Interest is having a eye at ZaaS ;-)

I try now scanning our Webapps in smaller pieces and have a closer look to ZaaS 
development

many Thanks for the hole Information

best

Andre

Original comment by xee...@googlemail.com on 28 May 2015 at 12:58

[GoogleCodeExporter]

So the key thing here is probably the data driven content.
If you have what I call 'non structural' (ie data) values in URLs then by 
default ZAP will be scanning the same underlying code many, many times.
Issue 1576 has been raised to make it easier to define such values.

Do you see the ZAP process growing in size?
If so, how big does it get?

ZaaS will definitely need to handle massive websites much better, and the plan 
is for these improvements to help the desktop version as well :)

Original comment by psii...@gmail.com on 29 May 2015 at 8:57

[GoogleCodeExporter]

Hi

i exclude now the database php files and scan only static Content what is on 
host when no database requests will be
made that works much much faster and Session Files are now 300 Mb not 2 GB.
300 MB is not fast for load and save but i will try next put a mysql database 
behind zap i have here on my Mac a mamp pro
running and enough place.
Is anywhere a ToDo or FAQ how a mysql can be backend for zap ?

I check my first runs against my last ones and here i see that ZAP have grabbed 
every Database call and scan than the created
files and put them to the site tree. If i take a closer look at Site content 
those created pages are only temp ok the blocks
of text and some other information from that pages are static and every time 
the same but hole rest will be created when a query
ask the database maybe for a book.
In default Scanning Mode with only more treads i get a very big Site tree with 
many pages that are not in Site the most content i
get in site tree is dynamic created pages where the hole page is every time the 
same but only the book picture and some book
information is others.

I mean here it was enough scanning the code that generate those pages once it 
was every time same code the difference are
the book titles or search words from the user who use the site at that time.

But i learn ;-) ZAP in small to medium Size Sites works great in Automatik mode 
and can be used for automated pen tests very good
but for bigger sites with much dynamic database driven content it is better to 
tweak ZAP exactly to that Site i think here is
at this time with this Version no other way.
It will be very cool if ZAP or ZaaS some Time will be a one click solution for 
a first look and go deeper if first look give some
answers about holes in code or other issues in Site.

But i think that there is no chance to find out where dynamic content will be 
created maybe a future release can stop
creating dynamic content and give User a Info and Option ti exclude that pages 
for now, but i have no idea how ;-)

many Thanks for the Tips

best

Andre

Original comment by xee...@googlemail.com on 29 May 2015 at 9:44

[GoogleCodeExporter]

Hi
i have a second heavy Issue

ZAP Error [javax.net.ssl.SSLHandshakeException]: Remote host closed connection 
during handshake

I read that Zap should fix that Issue since 2.1x i use 2.4 but can´t use https 
in Proxy Mode
but need Proxy Mode for closer look on some Site Pages.
The Site not offer me http i must use https i try some things i found on your 
faq or at google but
nothing does work every time same issue with all https Sites

a /usr/libexec/java_home -V give me a 1.6 Java Version
I can´t use ZAP with Https Proxy, http works good but for me not usable all 
our sites are https Sites

Did i something wrong or did ZAP can´t handle https with mac osx ?

best

Andre

Original comment by xee...@googlemail.com on 30 May 2015 at 11:24

[GoogleCodeExporter]

You should be using Java 7 instead of 6.
Re the handshake problem see: 
https://code.google.com/p/zaproxy/wiki/FAQsslHandshake

Original comment by psii...@gmail.com on 1 Jun 2015 at 1:44

[GoogleCodeExporter]

Hi
thanks for answer, i found why this coms .
i use a proxy helper app (mac proxy) if i use this app for switch proxy on/off 
the handshake error coms
when i use my network card settings for proxy settings all works fine.

best

Andre

Original comment by xee...@googlemail.com on 1 Jun 2015 at 1:47

[GoogleCodeExporter]

ZAP has been migrated to github

This issue will be on github issues with the same ID: 
https://github.com/zaproxy/zaproxy/issues

Original comment by psii...@gmail.com on 5 Jun 2015 at 9:18

• Changed state: Done