New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WebCacheDeceptionScanRule and CorsScanRule taking long + WebCacheDeceptionScanRule 404 behaviour #6655
WebCacheDeceptionScanRule and CorsScanRule taking long + WebCacheDeceptionScanRule 404 behaviour #6655
Comments
Thanks for raising the issue. |
Did some testing on this, part of the WebCacheDeceptionScanRule CPU usage is definitely caused by the The code doesn't care about the exact value of the Levenshtein distance, at least not once it gets over 200. It appears that with a threshold it's linear in terms of input length, but without it goes superlinear. (note that the Apache Commons library will return -1 if a threshold is given and no distance can be found). Some very rough figures from my system to give an indication:
|
I also stumbled across this issue (https://owasp.slack.com/archives/C04SX2GAS/p1626340200135100), added some debug logs and can also confirm that this seems to be caused by the Levenshtein distance. This can be reproduced reliably by scanning Juice Shop (Just using a ajax spider, followed by an active scan without any special config). This causes my ZAP to hour on the scan rule often spending minutes at a time as it seems to be comparing big binary files using Levenshtein. |
I had a similar issue, and in my system, the ZAP was hang. zap.log
WebCacheDeceptionScanRule |
Was |
@thc202 it seems that CorsScanRule is/was also addressed, I get these kind of timings now:
The WebCacheDeceptionScanRule 404 behaviour still exists, but I'm less sure whether that's a feature or a bug. If you think it's worthwile to investigate, I can try to set up some kind of minimal example. I'll leave it up to you whether you want it as a separate issue or a reopening of this one (in the latter case I'll edit the title + reopen once I figure out said minimal example) |
The fixed WCD rule hasn't been released yet. |
Oops, my bad. I missed that the WCD fix was recent. |
This issue is still present in 2.11.1 |
Please be more specific. Scan rules are not part of ZAP core. Add-ons (which contain scan rules) have their own version numbering. https://www.zaproxy.org/docs/desktop/ui/tlmenu/help/#support-info |
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Describe the bug
Since owasp/zap2docker-weekly:w2021-06-15, our CI is taking significantly longer, plus eventually fails on what is probably a false positive:
Full timings are available in timings.log. Note that DomXssScanRule aside, all the other rules take couple of seconds at most. I don't see anything strange in firewall logs. CPU usage is also incredibly high when these two rules are running.
(was told on IRC to put all three in one issue -- if you want separate ones instead, comment and I'll split them out and close this one)
To Reproduce
(config.tsv is just every available rule on WARN, plus some OUTOFSCOPE for very specific rule/URL combinations, but those combinations don't affect this)
(I can't share the actual domain publicly. Either email me or comment to PM it to a specific user on IRC if you are unable to reproduce it elsewhere)
Expected behavior
The rules should probably not take this long cq need this much CPU. For WebCacheDeceptionScanRule, it should probably skip certain status codes for the authorised request (at least 404) or perhaps only check successful requests.
Software versions
Would you like to help fix this issue?
If there's a way to run the rule .java files directly, I can provide more details on what it's actually doing on the specific domain / put a profiler on it and see where the CPU usage is coming from.
The text was updated successfully, but these errors were encountered: