search

secureCodeBox / scanner-webapplication-zap

Part of the deprecated secureCodeBox v1, see secureCodeBox/secureCodeBox Repo for v2
Apache License 2.0
5 stars 4 forks source link

Rate Limit for ZAP Scans #20

Closed MartinLang1 closed 5 years ago

MartinLang1 commented 5 years ago

As a user I would like to reduce the number of requests per second during my scans so that they won't affect the performance of my application and the scanner won't be blocked by a WAF.

The ZAP API provides means for rate limits via <zap-service>:<zap-port>/UI/ascan like

In my target definition (used for ZAP Scans) i would like to configure this like:

[
    {
        "name": "ZAP BodgeIt Scan",
        "location": "http://bodgeit:8080/bodgeit/",
        "attributes": {
            "ZAP_BASE_URL": "http://bodgeit:8080/bodgeit/",
            "ZAP_RATE_LIMITS": {
                "threadPerHost": 2,
                "delayInMs": 100,
                [...]
             }
        }
    }
]
MartinLang1 commented 5 years ago

The rate limits available for ZAP can also be found via the ZAP Application UI in "Tools -> Options -> Active Scan"

zap-ui-limits