ZAP Internal Statistics

ZAP maintains internal statistics which can be accessed via the API.

Key / Link Scope Type Description
automation.spider.urls.added global counter The number of URLs added by the standard spider running in the automation framework
domxss.attack.<vector> global counter The number of times the given DOM XSS attack vector was used
domxss.gets.count global counter The number of GET requests made by the DOM XSS scan rule
domxss.scan.count global counter The number of times the DOM XSS rule was run against a target URL
domxss.vulns.div1 global counter The number of DOM XSS vulnerabilities found when retrieving div elements
domxss.vulns.div2 global counter The number of DOM XSS vulnerabilities found when accessing div elements
domxss.vulns.get1 global counter The number of DOM XSS vulnerabilities found using the first GET request
domxss.vulns.get2 global counter The number of DOM XSS vulnerabilities found using the first second GET request
domxss.vulns.input1 global counter The number of DOM XSS vulnerabilities found when retrieving input elements
domxss.vulns.possibleDomXSSTriggers2 global counter The number of DOM XSS vulnerabilities found using possibleDomXSSTriggers2
domxss.vulns.possibleDomXSSTriggers3 global counter The number of DOM XSS vulnerabilities found using possibleDomXSSTriggers3
openapi.urls.added global counter The number of URLs added by importing an OpenAPI definition
soap.urls.added global counter The number of URLs added by importing a SOAP definition
spiderAjax.urls.added global counter The number of URLs found by the ajax spider
sqldb.<key>.calls global counter The number of times the SQL statement with the given key has been called
sqldb.<key>.pool global highwatermark The highest number of prepared statements in the pool for the given key
sqldb.<key>.time global counter The cumulative number of milliseconds taken by the corresponding SQL statements
sqldb.conn.closed global counter The number of times the ZAP db has been closed
sqldb.conn.openned global counter The number of times the ZAP db has been openned
stats.acsrf.<token-name> site counter The number of times the given token is present in an HTTP response
stats.alertFilter.<rule-id>.risk.<risk> site counter The number of times the given rule has been changed to the given risk by an alert filter
stats.api.call.<format>.<component>.<request-type>.<name> global counter The number of times the given API endpoint has been called - from 2.11.0
stats.api.error.<format>.<component>.<request-type>.<name> global counter The number of times the given API endpoint has returned an error - from 2.11.0
stats.ascan.<rule-id>.alerts global counter The number of alerts the given active scan rule has raised - from 2.11.0
stats.ascan.<rule-id>.skipped global counter The number of alerts the given active scan rule has been skipped - from 2.11.0
stats.ascan.<rule-id>.started global counter The number of alerts the given active scan rule has been started - from 2.11.0
stats.ascan.<rule-id>.time global counter The cumulative number of milliseconds that the given active scan rule has run for - from 2.11.0
stats.ascan.<rule-id>.urls global counter The number of URLs that the given active scan rule has requested - from 2.11.0
stats.ascan.started global counter The number of times the active scanner has been started - from 2.11.0
stats.ascan.stopped global counter The number of times the active scanner has been stopped (as opposed to finishing) - from 2.11.0
stats.ascan.time global counter The cumulative number of milliseconds that active scanner has run for - from 2.11.0
stats.ascan.urls global counter The number of URLs the active scanner has requested - from 2.11.0
stats.auth.failure site counter The number of authentication failures
stats.auth.state.assumedin site counter The number of messages between successful polls that are assumed to be logged in
stats.auth.state.loggedin site counter The number of messages that include the logged-in indicator
stats.auth.state.loggedout site counter The number of messages that include the logged-out indicator
stats.auth.state.noindicator site counter The number of messages where no logged in or out indicators have been set in the context
stats.auth.state.unknown site counter The number of messages which don't contain either logged in or out indicators
stats.auth.success site counter The number of authentication successes
stats.break.drop global counter The number of times a request or response has been dropped via a break point - from 2.11.0
stats.break.hit global counter The number of times a break point has been hit - from 2.11.0
stats.break.step global counter The number of times a break point has been stepped through - from 2.11.0
stats.code.<response-code> site counter The number of messages which include the given response code
stats.contentType.<content-type> site counter The number of messages which include the given content type
stats.pscan.<rule-id>.alerts global counter The number of alerts raised by the given scan rule - from 2.11.0
stats.pscan.<rule-id>.time global counter The cumulative number of milliseconds taken to run the given scan rule - from 2.11.0
stats.pscan.<rule-name> global counter The cumulative number of milliseconds taken to run the given scan rule - DEPRECATED - use stats.pscan.<rule-id>.time instead
stats.pscan.reqBodyTooBig global counter The number of requests that have not been passively scanned as they exceed the configured max body size to scan
stats.pscan.respBodyTooBig global counter The number of responses that have not been passively scanned as they exceed the configured max body size to scan
stats.responseTime.<time-slice> site counter The number of messages with response times in milliseconds the given (logerithmic) time slice (1, 2, 4, 8 etc)
stats.script.call.<engine-name>.<type> global counter The number of times the given type of script has been called - from 2.11.0
stats.script.error.<engine-name>.<type> global counter The number of times the given type of script has been returned an error - from 2.11.0
stats.spider.started global counter The number of times the spider has been started - from 2.11.0
stats.spider.stopped global counter The number of times the spider has been stopped (as opposed to completing) - from 2.11.0
stats.spider.time global counter The total number of milliseconds the spider has run for across all scans - from 2.11.0
stats.spider.url.error global counter The number of URLs the spider has found but failed to access - from 2.11.0
stats.spider.url.found global counter The number of URLs the spider has found and accessed - from 2.11.0
stats.tag.<tag-name> site counter The number of messages containing the given tag
stats.websockets.bytes.incoming site counter The cumulative number of incoming websocket bytes received
stats.websockets.bytes.outgoing site counter The cumulative number of outgoing websocket bytes sent
stats.websockets.close site counter The number of times a websocket connection was closed
stats.websockets.count.incoming site counter The number of incoming websocket messages
stats.websockets.count.outgoing site counter The number of outgoing websocket messages
stats.websockets.opcode.<opcode> site counter The number of websocket messages by opcode
stats.websockets.open site counter The number of times a websocket connection was opened
stats.websockets.pscan.<pscanname> global counter The number of times the given rule was run against a message

The scope can be:

  • global - the stats are maintained for ZAP as a whole
  • site - the stats are maintained on a per site basis

The type can be:

  • counter: an incrementing counter
  • highwatermark: the maximum value seen