Is your ZAP scan taking hours to complete? Maybe even a day to two? Not everyone has the luxury to wait for a 24hr ZAP scan to complete. This is the problem many people face and is what we will be tackling. In this article, we will discuss the variables that affect the duration of the scan and optimise zap scans.
Optimise Zap Scans – What Affects a ZAP Scan?
Server Hardware and network are one factor that affects the speed of a ZAP scan. So you could get better equipment, but the target equipment is also another factor that we can’t control. Thus, let’s focus on the configuration of the ZAP application itself.
When running an automated scan, there are 2 things that occur, the spidering (which is also part of the passive scan) and the active scan. Each of these comes with configurations that affect the duration of your scan. These configurations can be found the in ZAP options (the settings).
Here is a list of factors that affect the duration for each:
Spidering (Passive Scan) Factors
- Max depth to crawl (more depth = longer scan)
- Number of threads used (More threads = faster scan)
- Process forms
- Parse HTML comments
- Parse robots.txt
- Parse sitemap.xml
- Passive scan tags (disabling some tags = faster scan)
- Passive Scan rules (disabling some rules = faster scan)
Generally, what affects the duration of the spidering is mainly the max depth to crawl and the number of threads used. For the number of threads, it’s best to put it at the highest possible with regards to your hardware (of course spare some threads for your system itself so it doesn’t crash). As for the Max depth to crawl, this depends on the website you are scanning.
For example, if we scan a website like wappalyzer.com, which has a decent number of pages, using a max depth of 5 would take an acceptable amount of time to complete the spidering.
However, if we use the same max depth of 5 on a website like tastyfix.com, which has hundreds of pages (from the hundreds of recipes it contains), it may take hours or days to complete the spidering. And that is without starting the active scan, which takes even longer.
Active Scan Factors
- Number of Hosts Scanned Concurrently
- Concurrent Scanning Threads per Hosts (more threads = faster scan)
- Active Scan Input Vectors
- Scan Policy (some scan policies take very long)
Generally, what affects the duration of the active scan is mainly the Concurrent Scanning Threads per Host and the Scan Policy.
For the scan policy, this is a variable you might want to test a few times. For example, when scanning tastyfix.com, if we take a look at the active scan monitor, we can see the duration of each scan policy. In my experience, Cross Site Scripting (DOM Based) is usually the policy that takes the longest and at times too long. Thus, turning off specific Scan Policies can also optimize your ZAP scan (that would also mean the vulnerability for that policy won’t be scanned for).
The general equation to determine the duration of the scan is:
(Number of pages) x (number of parameters) x (number of attacks) x (duration of the request) / (number of threads)
In a nutshell, the duration of a scan increases exponentially, for each variable added to the ZAP scan. By reducing the number of variables to scan, the duration of the scan will be reduced. However, this will also reduce the quality of your results and possibly miss out on certain vulnerabilities.
An alternative to reducing the variables of a ZAP scan is to instead limit the ZAP scan in terms of duration, byte size and etc.
For the passive scan, these are the options you can configure:
- Max children to crawl (limit the number of children to crawl for each parent folder)
- Max duration (limit passive scanning duration)
- Max body size in bytes to scan (limit the maximum size request or response body size in bytes that the passive scanner will scan)
For the active scan, these are the options you can configure:
- Max rule duration (limit active scan duration for each rule)
- Max scan duration (limit active scanning duration)
The final alternative is to use Manual Explore, which would be to target only the pages you want to scan, but this method covers little area and is not automated.
All in all, balancing the duration of a scan and an acceptable quality of the results is something you will have to determine for yourself, as everyone’s situation is different. I hope this article has helped you optimise zap scans.