ZAP maintains internal statistics which can be accessed via the API.
| Key / Link | Scope | Type | Description |
|---|---|---|---|
| automation.spider.urls.added | global | counter | The number of URLs added by the standard spider running in the automation framework |
| domxss.attack.<vector> | global | counter | The number of times the given DOM XSS attack vector was used |
| domxss.gets.count | global | counter | The number of GET requests made by the DOM XSS scan rule |
| domxss.scan.count | global | counter | The number of times the DOM XSS rule was run against a target URL |
| domxss.vulns.div1 | global | counter | The number of DOM XSS vulnerabilities found when retrieving div elements |
| domxss.vulns.div2 | global | counter | The number of DOM XSS vulnerabilities found when accessing div elements |
| domxss.vulns.get1 | global | counter | The number of DOM XSS vulnerabilities found using the first GET request |
| domxss.vulns.get2 | global | counter | The number of DOM XSS vulnerabilities found using the first second GET request |
| domxss.vulns.input1 | global | counter | The number of DOM XSS vulnerabilities found when retrieving input elements |
| domxss.vulns.possibleDomXSSTriggers2 | global | counter | The number of DOM XSS vulnerabilities found using possibleDomXSSTriggers2 |
| domxss.vulns.possibleDomXSSTriggers3 | global | counter | The number of DOM XSS vulnerabilities found using possibleDomXSSTriggers3 |
| openapi.urls.added | global | counter | The number of URLs added by importing an OpenAPI definition |
| soap.urls.added | global | counter | The number of URLs added by importing a SOAP definition |
| spiderAjax.urls.added | global | counter | The number of URLs found by the ajax spider |
| sqldb.<key>.calls | global | counter | The number of times the SQL statement with the given key has been called |
| sqldb.<key>.pool | global | highwatermark | The highest number of prepared statements in the pool for the given key |
| sqldb.<key>.time | global | counter | The cumulative number of milliseconds taken by the corresponding SQL statements |
| sqldb.conn.closed | global | counter | The number of times the ZAP db has been closed |
| sqldb.conn.openned | global | counter | The number of times the ZAP db has been opened |
| stats.acsrf.<token-name> | site | counter | The number of times the given token is present in an HTTP response |
| stats.alertFilter.<rule-id>.risk.<risk> | site | counter | The number of times the given rule has been changed to the given risk by an alert filter |
| stats.api.call.<format>.<component>.<request-type>.<name> | global | counter | The number of times the given API endpoint has been called - from 2.11.0 |
| stats.api.error.<format>.<component>.<request-type>.<name> | global | counter | The number of times the given API endpoint has returned an error - from 2.11.0 |
| stats.ascan.<rule-id>.alerts | global | counter | The number of alerts the given active scan rule has raised - from 2.11.0 |
| stats.ascan.<rule-id>.skipped | global | counter | The number of alerts the given active scan rule has been skipped - from 2.11.0 |
| stats.ascan.<rule-id>.started | global | counter | The number of alerts the given active scan rule has been started - from 2.11.0 |
| stats.ascan.<rule-id>.time | global | counter | The cumulative number of milliseconds that the given active scan rule has run for - from 2.11.0 |
| stats.ascan.<rule-id>.urls | global | counter | The number of URLs that the given active scan rule has requested - from 2.11.0 |
| stats.ascan.started | global | counter | The number of times the active scanner has been started - from 2.11.0 |
| stats.ascan.stopped | global | counter | The number of times the active scanner has been stopped (as opposed to finishing) - from 2.11.0 |
| stats.ascan.time | global | counter | The cumulative number of milliseconds that active scanner has run for - from 2.11.0 |
| stats.ascan.urls | global | counter | The number of URLs the active scanner has requested - from 2.11.0 |
| stats.auth.browser.nopasswordfield | global | counter | The number of times Browser Based Authentication failed to find a password field |
| stats.auth.browser.nouserfield | global | counter | The number of times Browser Based Authentication failed to find a username field |
| stats.auth.configure.auth.error | global | counter | The number of errors when automatically configuring context authentication |
| stats.auth.configure.auth.form | global | counter | The number of contexts automatically configured for form-based authentication |
| stats.auth.configure.auth.json | global | counter | The number of contexts automatically configured for JSON-based authentication |
| stats.auth.configure.session.header | global | counter | The number of contexts automatically configured header based session management |
| stats.auth.configure.verification | global | counter | The number of contexts automatically configured for verification |
| stats.auth.detect.auth.form | global | counter | The number of form-based authentication requests identified |
| stats.auth.detect.auth.json | global | counter | The number of JSON-based authentication requests identified |
| stats.auth.detect.register | global | counter | The number of registration requests identified |
| stats.auth.detect.session.<token-key> | global | counter | The number of times a session has been detected with the token-key |
| stats.auth.failure | site | counter | The number of authentication failures |
| stats.auth.session.set.header | global | counter | The number of times a message has been processed to add an authentication header |
| stats.auth.sessiontoken.<session-token> | site | counter | The number of times the specified session token has been identified |
| stats.auth.state.assumedin | site | counter | The number of messages between successful polls that are assumed to be logged in |
| stats.auth.state.loggedin | site | counter | The number of messages that include the logged-in indicator |
| stats.auth.state.loggedout | site | counter | The number of messages that include the logged-out indicator |
| stats.auth.state.noindicator | site | counter | The number of messages where no logged in or out indicators have been set in the context |
| stats.auth.state.unknown | site | counter | The number of messages which don't contain either logged in or out indicators |
| stats.auth.success | site | counter | The number of authentication successes |
| stats.auto.errors | global | counter | The number of automation errors reported |
| stats.auto.job.<job-type>.run | global | counter | The number of times the given automation job type has been run |
| stats.auto.jobs.run | global | counter | The number of automation jobs run |
| stats.auto.plans.run | global | counter | The number of automation plans run |
| stats.auto.warnings | global | counter | The number of automation warnings reported |
| stats.break.drop | global | counter | The number of times a request or response has been dropped via a break point - from 2.11.0 |
| stats.break.hit | global | counter | The number of times a break point has been hit - from 2.11.0 |
| stats.break.step | global | counter | The number of times a break point has been stepped through - from 2.11.0 |
| stats.code.<response-code> | site | counter | The number of messages which include the given response code |
| stats.contentType.<content-type> | site | counter | The number of messages which include the given content type |
| stats.exim.copy.url | global | counter | The number of URLs copied |
| stats.exim.import.har.file | global | counter | The number of HAR files imported |
| stats.exim.import.har.file.errors | global | counter | The number of errors when importing a HAR file |
| stats.exim.import.har.file.message | global | counter | The number of HAR messages imported via a file |
| stats.exim.import.har.file.message.errors | global | counter | The number of errors when importing a message via a HAR file |
| stats.exim.import.modsec2.file | global | counter | The number of ModSecurity v2 files imported |
| stats.exim.import.modsec2.file.errors | global | counter | The number of errors when importing a ModSecurity v2 file |
| stats.exim.import.modsec2.file.message | global | counter | The number of ModSecurity v2 messages imported via a file |
| stats.exim.import.url.file | global | counter | The number of URL files imported |
| stats.exim.import.url.file.errors | global | counter | The number of errors when importing a URL file |
| stats.exim.import.url.file.message | global | counter | The number of URLs imported via a file |
| stats.exim.import.zap.file | global | counter | The number of ZAP files imported |
| stats.exim.import.zap.file.errors | global | counter | The number of errors when importing a ZAP file |
| stats.exim.import.zap.file.message | global | counter | The number of ModSecurity v2 messages imported via a file |
| stats.exim.save.har.file | global | counter | The number of HAR Files saved |
| stats.exim.save.har.file.errors | global | counter | The number of errors when saving a HAR file |
| stats.exim.save.har.file.message | global | counter | The number of HAR messages saves to a files |
| stats.exim.save.raw.file.msg | global | counter | The number of messages saved as raw files |
| stats.exim.save.raw.file.msg.errors | global | counter | The number of errors when saving messages as raw files |
| stats.exim.save.xml.file.msg | global | counter | The number of messages saved as XML files |
| stats.exim.save.xml.file.msg.errors | global | counter | The number of errors when saving messages as XML files |
| stats.fuzz.<message-type>.started | global | counter | The number of fuzzers started by message type |
| stats.fuzz.HTTP.message.processors.error | global | counter | The number of fuzzer HTTP message processor errors |
| stats.fuzz.HTTP.message.processors.run | global | counter | The number of fuzzer HTTP message processors run |
| stats.fuzz.messages.edited | global | counter | The number of fuzz messages edited |
| stats.fuzz.messages.sent | global | counter | The number of fuzz messages sent |
| stats.fuzz.payload.processors.error | global | counter | The number of fuzzer payload processor errors |
| stats.fuzz.payload.processors.run | global | counter | The number of fuzzer payload processors run |
| stats.oast.boast.interactions | global | counter | The number of BOAST interactions |
| stats.oast.boast.payloadsGenerated | global | counter | The number of BOAST payloads generated |
| stats.oast.callback.interactions | global | counter | The number of callback interactions |
| stats.oast.callback.payloadsGenerated | global | counter | The number of callback payloads generated |
| stats.oast.interactsh.interactions | global | counter | The number of Interactsh interactions |
| stats.oast.interactsh.payloadsGenerated | global | counter | The number of Interactsh payloads generated |
| stats.pscan.<rule-id>.alerts | global | counter | The number of alerts raised by the given scan rule - from 2.11.0 |
| stats.pscan.<rule-id>.time | global | counter | The cumulative number of milliseconds taken to run the given scan rule - from 2.11.0 |
| stats.pscan.<rule-name> | global | counter | The cumulative number of milliseconds taken to run the given scan rule - DEPRECATED - use stats.pscan.<rule-id>.time instead |
| stats.pscan.reqBodyTooBig | global | counter | The number of requests that have not been passively scanned as they exceed the configured max body size to scan |
| stats.pscan.respBodyTooBig | global | counter | The number of responses that have not been passively scanned as they exceed the configured max body size to scan |
| stats.quickstart.news.<news-id> | global | counter | The number of times the given news item has been clicked on |
| stats.reports.error.<template-name> | global | counter | The number of errors by template name |
| stats.reports.generated.<template-name> | global | counter | The number of reports generated by template name |
| stats.reports.nofile.<template-name> | global | counter | The number of File Not Found errors by template name |
| stats.responseTime.<time-slice> | site | counter | The number of messages with response times in milliseconds the given (logarithmic) time slice (1, 2, 4, 8 etc) |
| stats.script.call.<engine-name>.<type> | global | counter | The number of times the given type of script has been called - from 2.11.0 |
| stats.script.error.<engine-name>.<type> | global | counter | The number of times the given type of script has been returned an error - from 2.11.0 |
| stats.selenium.launch.<browser-id> | global | counter | The number of time the given browser has been launched |
| stats.selenium.launch.<requester-id>.<browser-id> | global | counter | The number of times the given browser has been successfully launched for the requester |
| stats.selenium.launch.<requester-id>.<browser-id>.failure | global | counter | The number of times the given browser has failed to launch for the requester |
| stats.spider.started | global | counter | The number of times the spider has been started - from 2.11.0 |
| stats.spider.stopped | global | counter | The number of times the spider has been stopped (as opposed to completing) - from 2.11.0 |
| stats.spider.time | global | counter | The total number of milliseconds the spider has run for across all scans - from 2.11.0 |
| stats.spider.url.error | global | counter | The number of URLs the spider has found but failed to access - from 2.11.0 |
| stats.spider.url.found | global | counter | The number of URLs the spider has found and accessed - from 2.11.0 |
| stats.tag.<tag-name> | site | counter | The number of messages containing the given tag |
| stats.websockets.bytes.incoming | site | counter | The cumulative number of incoming websocket bytes received |
| stats.websockets.bytes.outgoing | site | counter | The cumulative number of outgoing websocket bytes sent |
| stats.websockets.close | site | counter | The number of times a websocket connection was closed |
| stats.websockets.count.incoming | site | counter | The number of incoming websocket messages |
| stats.websockets.count.outgoing | site | counter | The number of outgoing websocket messages |
| stats.websockets.opcode.<opcode> | site | counter | The number of websocket messages by opcode |
| stats.websockets.open | site | counter | The number of times a websocket connection was opened |
| stats.websockets.pscan.<pscanname> | global | counter | The number of times the given rule was run against a message |
The scope can be:
- global - the stats are maintained for ZAP as a whole
- site - the stats are maintained on a per site basis
The type can be:
- counter: an incrementing counter
- highwatermark: the maximum value seen