bdd-security
bdd-security copied to clipboard
iriusrisk
Read Time Out
Lately I noticed the following error when bdd-security is running especially against a huge app/site
10802624 [ZAP-ActiveScanner-1] WARN org.zaproxy.zap.extension.ascanrules.TestPathTraversal - Error scanning parameters for Path Traversal: Read timed out [java] java.net.SocketTimeoutException: Read timed out [java] at java.net.SocketInputStream.socketRead0(Native Method) [java] at java.net.SocketInputStream.read(SocketInputStream.java:152) [java] at java.net.SocketInputStream.read(SocketInputStream.java:122) [java] at java.io.BufferedInputStream.fill(BufferedInputStream.java:235) [java] at java.io.BufferedInputStream.read(BufferedInputStream.java:254) [java] at org.apache.commons.httpclient.HttpParser.readRawLine(HttpParser.java:78) [java] at org.apache.commons.httpclient.HttpParser.readLine(HttpParser.java:106) [java] at org.apache.commons.httpclient.HttpConnection.readLine(HttpConnection.java:1116) [java] at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.readLine(MultiThreadedHttpConnectionManager.java:1413) [java] at org.apache.commons.httpclient.HttpMethodBase.readStatusLine(Unknown Source) [java] at org.zaproxy.zap.ZapGetMethod.readResponse(Unknown Source) [java] at org.apache.commons.httpclient.HttpMethodBase.execute(Unknown Source) [java] at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(Unknown Source) [java] at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(Unknown Source) [java] at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) [java] at org.parosproxy.paros.network.HttpSender.executeMethod(Unknown Source) [java] at org.parosproxy.paros.network.HttpSender.runMethod(Unknown Source) [java] at org.parosproxy.paros.network.HttpSender.send(Unknown Source) [java] at org.parosproxy.paros.network.HttpSender.sendAuthenticated(Unknown Source) [java] at org.parosproxy.paros.network.HttpSender.sendAndReceive(Unknown Source) [java] at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(Unknown Source) [java] at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(Unknown Source) [java] at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(Unknown Source) [java] at org.zaproxy.zap.extension.ascanrules.TestPathTraversal.scan(TestPathTraversal.java:323) [java] at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scan(Unknown Source) [java] at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scanVariant(Unknown Source) [java] at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scan(Unknown Source) [java] at org.parosproxy.paros.core.scanner.AbstractPlugin.run(Unknown Source) [java] at java.lang.Thread.run(Thread.java:745)
Looks like a ZAP error. You could try running the test through your own ZAP instance, and see whether you can change any timing parameters in the ZAP config, or view the URLs that are causing the timeout while it's doing the scan to see what the problem is.
I think we need to increase Timeout in seconds according to the documentation below because it will make easier to test slow applications. I adjusted it on my ZAP instance and it seems running fine. Is there a way we could adjust it on zap bdd-security?
https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsOptionsConnection#timeout-in-seconds
Yes, will have to create a mechanism for passing ZAP options to the embedded instance.
A workaround is to start your own ZAP instance outside of the bdd-security run, and talk to that instead.
Have created issue: https://github.com/continuumsecurity/bdd-security/issues/38 to describe this.
We can fix it right by increasing the Timeout in seconds then upload the new zap folder which has the adjusted configuration. I am running headless mode for bdd-security and Jenkins integration which means that it will difficult for me to adjusted it on my zap instance.
Could can edit all ZAP config items in the config.xml that exists in the zap folder, so there's no need to launch the GUI to make changes.