zaproxy icon indicating copy to clipboard operation
zaproxy copied to clipboard
verified publisher icon zaproxy

Support throttling in Spider

Open slicedpan opened this issue 3 years ago • 5 comments

Is your feature request related to a problem? Please describe.

The Spider does not support throttling, so is always set to make requests as fast as it can. In some cases this is undesirable, as this can cause availability issues with brittle targets.

Describe the solution you'd like

The spider should support a delayInMs parameter (like the active scanner), which will delay requests by the given value to reduce the load on target web applications.

Describe alternatives you've considered

It's possible to replicate this behaviour by running ZAP through another proxy that supports throttling, but this is clunky.

Screenshots

No response

Additional context

No response

Would you like to help fix this issue?

  • [ ] Yes

slicedpan avatar May 30 '22 10:05 slicedpan

I am happy to work on a fix for this myself, I appreciate it's not a super common use case. Just wanted to add an issue and invite commentary in case anyone has any thoughts before I submit a PR.

slicedpan avatar May 30 '22 10:05 slicedpan

Sounds good to me :) Would you like to be assigned this issue?

psiinon avatar May 30 '22 10:05 psiinon

Sure.

slicedpan avatar May 30 '22 10:05 slicedpan

Duplicate of #1314 but I guess we can keep this one.

thc202 avatar May 30 '22 11:05 thc202

This should be done in the add-on now, located in the zap-extensions repo.

thc202 avatar Jul 05 '22 14:07 thc202

Hello, @slicedpan

Thank you for your making this issue! Actually, I have wanted to use this feature, too.

Then, how is it going on this task? If it's hard for you to try this task, I would like to try this task :)

I apologize for this suggestion if you are mid-way through this task.

task4233 avatar Oct 01 '22 07:10 task4233

fwiw, there's an add-on in progress providing this more generally: zaproxy/zap-extensions#4011.

thc202 avatar Oct 01 '22 08:10 thc202

@thc202 Thank you for the useful information! I will wait for the PR to be merged.

task4233 avatar Oct 01 '22 09:10 task4233

Closing as done with the global rate limiting, while adding per scan/tool seems useful it does not actually allow to enforce the limits (as the user can easily/accidentally exceed them, e.g. active scan, manual).

Feel free to leave a comment explaining the use case if you still think having per scan is useful.

thc202 avatar Aug 16 '23 08:08 thc202

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

github-actions[bot] avatar Nov 15 '23 01:11 github-actions[bot]