Interface frozen after spider on big site

[GoogleCodeExporter]

I wanted to run a spider on my full site, but the application froze before 
ending.
The site contains at least 500 pages. and on each pages, their are at least 10 
URLs (Page URL + Get parameters)

I am running last version of Zaproxy on Windows + Java 1.6-23

I know that kind of bug description doesn't usualy help debugging so if you 
need me to run any other tests, give more details,... do not hesitate.

BTW, I am wondering why not using a more up to date version of the libraries 
(like apache commons, HyperSQL, ...) ?

Thank you,

Thomas P.

Original issue reported on code.google.com by piartt on 23 Jan 2011 at 3:06

[GoogleCodeExporter]

Hi Thomas,

Are there any errors in the ZAP log file (zap.log)? 
Did ZAP completely freeze, or was it just the spider tab?
The spider is mostly unchanged from the Paros code, so debugging it might be 
'interesting'.
We may have to add extra debug logging in ZAP.
If we have to go down this route would be be ok building ZAP from svn?
There are some instructions here: 
https://code.google.com/p/zaproxy/wiki/Building and I'll help with any problems 
you come across.

Many thanks,

Psiinon

Original comment by psii...@gmail.com on 24 Jan 2011 at 7:10

[GoogleCodeExporter]

Oh, and the libraries havent been updated because we havnt got around to doing 
it ;)
I've raised Issue 49 to remind us to do so!

Thanks,

Psiinon

Original comment by psii...@gmail.com on 24 Jan 2011 at 7:16

[GoogleCodeExporter]

Hi, I build zaproxy using last sources (trunk), and ran it.
Is there any kind of logging that I can already enable ?

Thanks,

Thomas

Original comment by piartt on 5 Feb 2011 at 4:20

[GoogleCodeExporter]

Hi Thomas,

I'm afraid not - the original Paros code had very little debug
logging, and we havnt really touched the spider yet.
You could try adding some yourself, or I'll try and put some in when I
get a chance.

Original comment by psii...@gmail.com on 5 Feb 2011 at 5:21

[GoogleCodeExporter]

Hi Thomas,

Can you have another got with the latest version of ZAP (1.3.0) - this has some 
memory leak fixes in which may help solve or reduce the problems you've been 
seeing.

Many thanks,

Psiinon

Original comment by psii...@gmail.com on 7 Jun 2011 at 6:08

[GoogleCodeExporter]

Original comment by psii...@gmail.com on 6 Jul 2011 at 12:14

• Added labels: AutomatedTools

[GoogleCodeExporter]

1.4 candidate

Original comment by psii...@gmail.com on 17 Sep 2011 at 4:33

• Added labels: Priority-High
• Removed labels: Priority-Medium

[GoogleCodeExporter]

I have found this too even with v1.3.4 running on 64bit Windows Server 2008, 
with 7.5GB memory and nothing else running.

After I began having this problem, I can no longer run ZAP on the machine at 
all. Have tried uninstalling and re-installing. Running the .EXE file doesn't 
raise any errors, but no UI appears. Nothing in any log, and nothing in Windows 
event logs. 

Another Java-based proxy does work on the machine.

Original comment by colin.wa...@owasp.org on 20 Feb 2012 at 5:28

[GoogleCodeExporter]

Thats not good :(

Can you have a look in the log and see if any errors are reported?
It will be called zap.log and should be in the "OWASP ZAP" directory under your 
user directory.

Does Task Manager show any java processes running?

Many thanks

Original comment by psii...@gmail.com on 20 Feb 2012 at 5:33

[GoogleCodeExporter]

In zap.log, there is nothing recent (since it stopped working). The latest 
entries, predating the uninstall and re-install, are:

2012-01-27 09:23:29,643 INFO  HostProcess - start host http://***.com | 
TestInjectionOracleSQLEnumeration
2012-01-27 09:23:44,138 INFO  HostProcess - completed host/plugin 
http://***.com | TestInjectionOracleSQLEnumeration in 14.495s
2012-01-27 09:23:44,138 INFO  HostProcess - start host http://***.com | 
TestParameterTamper
2012-01-27 09:24:28,331 INFO  Scanner - scanner completed in 424.331s
2012-01-27 10:23:27,085 ERROR PassiveScanThread - Failed on record 1261 from 
History table
2012-01-27 10:58:57,214 INFO  MenuFileControl - OWASP ZAP 1.3.4 terminated.

javaw.exe appears briefly in the task manager processes list, and then 
disappears.

Running zap.bat from the command line gives:

---C:\Program Files (x86)\OWASP\Zed Attack Proxy>zap.bat

C:\Program Files (x86)\OWASP\Zed Attack Proxy>java -jar zap.jar 
org.zaproxy.zap.ZAP
[Fatal Error] config.xml:1:1: Premature end of file.
Unable to upgrade config file C:\Users\User\OWASP ZAP\config.xml 
C:\Users\user\OWASP ZAP\fuzzers (Access is denied)
java.io.FileNotFoundException: C:\Users\user\OWASP ZAP\fuzzers (Access is 
denied)
        at java.io.FileOutputStream.open(Native Method)
        at java.io.FileOutputStream.<init>(Unknown Source)
        at java.io.FileOutputStream.<init>(Unknown Source)
        at org.parosproxy.paros.model.FileCopier.copyLegacy(Unknown Source)
        at org.parosproxy.paros.model.FileCopier.copy(Unknown Source)
        at org.parosproxy.paros.Constant.initializeFilesAndDirectories(Unknown Source)
        at org.parosproxy.paros.Constant.<init>(Unknown Source)
        at org.parosproxy.paros.Constant.getInstance(Unknown Source)
        at org.zaproxy.zap.ZAP.main(Unknown Source)

C:\Program Files (x86)\OWASP\Zed Attack Proxy>
---------

Is it safe to delete the files in the session directory (under user>owasp zap), 
or maybe the whole of user>owasp zap ?

Original comment by colin.wa...@owasp.org on 20 Feb 2012 at 7:55

[GoogleCodeExporter]

It looks like you've got a 'mixed' installation :)
The code you're running appears to be from svn rather than a clean 1.3.4 - the 
"fuzzers" directory is post 1.3.4.
You can try creating that directory manually - which should get over the 
immediate problem.
Its also safe to delete the whole 'OWASP ZAP' directory, you'll loose any 
config changes you've made but that will be it.
The alternative is going back to a clean 1.3.4.
However it shouldnt fail 'silently' in any case - I'll put a fix in for that.

Original comment by psii...@gmail.com on 21 Feb 2012 at 9:46

[GoogleCodeExporter]

I have unmixed my installation, deleting the whole directory, and ZAP has 
appeared again. Thank goodness. Maybe it was just a coincidence with the spider 
freezing. Thank you for the help.

Original comment by colin.wa...@owasp.org on 21 Feb 2012 at 6:59

[GoogleCodeExporter]

Marking this as Invalid to close it.
If anything like this occurs again please open a new issue.

Original comment by psii...@gmail.com on 28 Jan 2013 at 5:11

• Changed state: Invalid

[GoogleCodeExporter]

Hi, I agree, It's not use full to keep those kind of request open.

Original comment by piartt on 28 Jan 2013 at 9:23