search

iriusrisk / bdd-security

BDD Automated Security Tests for Web Applications
http://www.continuumsecurity.net/bdd-intro.html
GNU Affero General Public License v3.0
559 stars 178 forks source link

Read Time Out #37

Open lfatty opened 8 years ago

lfatty commented 8 years ago

Lately I noticed the following error when bdd-security is running especially against a huge app/site

10802624 [ZAP-ActiveScanner-1] WARN org.zaproxy.zap.extension.ascanrules.TestPathTraversal - Error scanning parameters for Path Traversal: Read timed out [java] java.net.SocketTimeoutException: Read timed out [java] at java.net.SocketInputStream.socketRead0(Native Method) [java] at java.net.SocketInputStream.read(SocketInputStream.java:152) [java] at java.net.SocketInputStream.read(SocketInputStream.java:122) [java] at java.io.BufferedInputStream.fill(BufferedInputStream.java:235) [java] at java.io.BufferedInputStream.read(BufferedInputStream.java:254) [java] at org.apache.commons.httpclient.HttpParser.readRawLine(HttpParser.java:78) [java] at org.apache.commons.httpclient.HttpParser.readLine(HttpParser.java:106) [java] at org.apache.commons.httpclient.HttpConnection.readLine(HttpConnection.java:1116) [java] at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.readLine(MultiThreadedHttpConnectionManager.java:1413) [java] at org.apache.commons.httpclient.HttpMethodBase.readStatusLine(Unknown Source) [java] at org.zaproxy.zap.ZapGetMethod.readResponse(Unknown Source) [java] at org.apache.commons.httpclient.HttpMethodBase.execute(Unknown Source) [java] at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(Unknown Source) [java] at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(Unknown Source) [java] at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) [java] at org.parosproxy.paros.network.HttpSender.executeMethod(Unknown Source) [java] at org.parosproxy.paros.network.HttpSender.runMethod(Unknown Source) [java] at org.parosproxy.paros.network.HttpSender.send(Unknown Source) [java] at org.parosproxy.paros.network.HttpSender.sendAuthenticated(Unknown Source) [java] at org.parosproxy.paros.network.HttpSender.sendAndReceive(Unknown Source) [java] at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(Unknown Source) [java] at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(Unknown Source) [java] at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(Unknown Source) [java] at org.zaproxy.zap.extension.ascanrules.TestPathTraversal.scan(TestPathTraversal.java:323) [java] at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scan(Unknown Source) [java] at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scanVariant(Unknown Source) [java] at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scan(Unknown Source) [java] at org.parosproxy.paros.core.scanner.AbstractPlugin.run(Unknown Source) [java] at java.lang.Thread.run(Thread.java:745)

iriusrisk commented 8 years ago

Looks like a ZAP error. You could try running the test through your own ZAP instance, and see whether you can change any timing parameters in the ZAP config, or view the URLs that are causing the timeout while it's doing the scan to see what the problem is.

lfatty commented 8 years ago

I think we need to increase Timeout in seconds according to the documentation below because it will make easier to test slow applications. I adjusted it on my ZAP instance and it seems running fine. Is there a way we could adjust it on zap bdd-security?

https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsOptionsConnection#timeout-in-seconds

iriusrisk commented 8 years ago

Yes, will have to create a mechanism for passing ZAP options to the embedded instance.
A workaround is to start your own ZAP instance outside of the bdd-security run, and talk to that instead. Have created issue: https://github.com/continuumsecurity/bdd-security/issues/38 to describe this.

lfatty commented 8 years ago

We can fix it right by increasing the Timeout in seconds then upload the new zap folder which has the adjusted configuration. I am running headless mode for bdd-security and Jenkins integration which means that it will difficult for me to adjusted it on my zap instance.

iriusrisk commented 8 years ago

Could can edit all ZAP config items in the config.xml that exists in the zap folder, so there's no need to launch the GUI to make changes.