When running purpleteam, the time of the web requests to your SUT seem to be taking longer than they should be.
This can be due to scripts in your SUT that are taking a long time to load or not loading at all. We saw this initially with NodeGoat in regards to SUT pages attempting to fetch the livereload script. NodeGoat was expecting the livereload script to be hosted locally which it wasn’t, subsequently the page load wouldn’t finish loading.
Check that Zap doesn’t have any “Timed out while reading a new HTTP request” messages. If it does:
We fixed this by removing the dependency on this script (livereload.js) in the NodeGoat
App test failing (specifically the Zap active scan) with the following error message displayed in the CLI app log:
URL Not Found in the Scan Tree.
This error is also visible in the app-scanner log and originates from Zap. Zap also logs the following message as a
Bad request to API endpoint [/JSON/ascan/action/scan/]
URL Not Found in the Scan Tree
This can be due to one or more missing
attackFields in the Build User config (Job) for a given
route that you have specified. These
attackFields are not only used by Selenium to proxy the specific
route’s request through Zap, but also used to inform Zap of the
postData when a request is made to ascanActionScan.
Check that your Build User config (Job) contains all of the
attackFields that your SUT requires to make a successful request.