ZAP Internal Statistics

ZAP maintains internal statistics which can be accessed via the API.

Key / Link Scope Type Description
automation.spider.urls.added global counter The number of URLs added by the standard spider running in the automation framework
domxss.attack.<vector> global counter The number of times the given DOM XSS attack vector was used
domxss.gets.count global counter The number of GET requests made by the DOM XSS scan rule
domxss.scan.count global counter The number of times the DOM XSS rule was run against a target URL
domxss.vulns.div1 global counter The number of DOM XSS vulnerabilities found when retrieving div elements
domxss.vulns.div2 global counter The number of DOM XSS vulnerabilities found when accessing div elements
domxss.vulns.get1 global counter The number of DOM XSS vulnerabilities found using the first GET request
domxss.vulns.get2 global counter The number of DOM XSS vulnerabilities found using the first second GET request
domxss.vulns.input1 global counter The number of DOM XSS vulnerabilities found when retrieving input elements
domxss.vulns.possibleDomXSSTriggers2 global counter The number of DOM XSS vulnerabilities found using possibleDomXSSTriggers2
domxss.vulns.possibleDomXSSTriggers3 global counter The number of DOM XSS vulnerabilities found using possibleDomXSSTriggers3
openapi.urls.added global counter The number of URLs added by importing an OpenAPI definition
soap.urls.added global counter The number of URLs added by importing a SOAP definition
spiderAjax.urls.added global counter The number of URLs found by the ajax spider
sqldb.<key>.calls global counter The number of times the SQL statement with the given key has been called
sqldb.<key>.pool global highwatermark The highest number of prepared statements in the pool for the given key
sqldb.<key>.time global counter The cumulative number of milliseconds taken by the corresponding SQL statements
sqldb.conn.closed global counter The number of times the ZAP db has been closed
sqldb.conn.openned global counter The number of times the ZAP db has been opened
stats.acsrf.<token-name> site counter The number of times the given token is present in an HTTP response
stats.alertFilter.<rule-id>.risk.<risk> site counter The number of times the given rule has been changed to the given risk by an alert filter
stats.api.call.<format>.<component>.<request-type>.<name> global counter The number of times the given API endpoint has been called - from 2.11.0
stats.api.error.<format>.<component>.<request-type>.<name> global counter The number of times the given API endpoint has returned an error - from 2.11.0
stats.ascan.<rule-id>.alerts global counter The number of alerts the given active scan rule has raised - from 2.11.0
stats.ascan.<rule-id>.skipped global counter The number of alerts the given active scan rule has been skipped - from 2.11.0
stats.ascan.<rule-id>.started global counter The number of alerts the given active scan rule has been started - from 2.11.0
stats.ascan.<rule-id>.time global counter The cumulative number of milliseconds that the given active scan rule has run for - from 2.11.0
stats.ascan.<rule-id>.urls global counter The number of URLs that the given active scan rule has requested - from 2.11.0
stats.ascan.started global counter The number of times the active scanner has been started - from 2.11.0
stats.ascan.stopped global counter The number of times the active scanner has been stopped (as opposed to finishing) - from 2.11.0
stats.ascan.time global counter The cumulative number of milliseconds that active scanner has run for - from 2.11.0
stats.ascan.urls global counter The number of URLs the active scanner has requested - from 2.11.0
stats.auth.browser.nopasswordfield global counter The number of times Browser Based Authentication failed to find a password field
stats.auth.browser.nouserfield global counter The number of times Browser Based Authentication failed to find a username field
stats.auth.configure.auth.error global counter The number of errors when automatically configuring context authentication
stats.auth.configure.auth.form global counter The number of contexts automatically configured for form-based authentication
stats.auth.configure.auth.json global counter The number of contexts automatically configured for JSON-based authentication
stats.auth.configure.session.header global counter The number of contexts automatically configured header based session management
stats.auth.configure.verification global counter The number of contexts automatically configured for verification
stats.auth.detect.auth.form global counter The number of form-based authentication requests identified
stats.auth.detect.auth.json global counter The number of JSON-based authentication requests identified
stats.auth.detect.register global counter The number of registration requests identified
stats.auth.detect.session.<token-key> global counter The number of times a session has been detected with the token-key
stats.auth.failure site counter The number of authentication failures
stats.auth.session.set.header global counter The number of times a message has been processed to add an authentication header
stats.auth.sessiontoken.<session-token> site counter The number of times the specified session token has been identified
stats.auth.state.assumedin site counter The number of messages between successful polls that are assumed to be logged in
stats.auth.state.loggedin site counter The number of messages that include the logged-in indicator
stats.auth.state.loggedout site counter The number of messages that include the logged-out indicator
stats.auth.state.noindicator site counter The number of messages where no logged in or out indicators have been set in the context
stats.auth.state.unknown site counter The number of messages which don't contain either logged in or out indicators
stats.auth.success site counter The number of authentication successes
stats.auto.errors global counter The number of automation errors reported
stats.auto.job.<job-type>.run global counter The number of times the given automation job type has been run
stats.auto.jobs.run global counter The number of automation jobs run
stats.auto.plans.run global counter The number of automation plans run
stats.auto.warnings global counter The number of automation warnings reported
stats.break.drop global counter The number of times a request or response has been dropped via a break point - from 2.11.0
stats.break.hit global counter The number of times a break point has been hit - from 2.11.0
stats.break.step global counter The number of times a break point has been stepped through - from 2.11.0
stats.code.<response-code> site counter The number of messages which include the given response code
stats.contentType.<content-type> site counter The number of messages which include the given content type
stats.exim.copy.url global counter The number of URLs copied
stats.exim.import.har.file global counter The number of HAR files imported
stats.exim.import.har.file.errors global counter The number of errors when importing a HAR file
stats.exim.import.har.file.message global counter The number of HAR messages imported via a file
stats.exim.import.har.file.message.errors global counter The number of errors when importing a message via a HAR file
stats.exim.import.modsec2.file global counter The number of ModSecurity v2 files imported
stats.exim.import.modsec2.file.errors global counter The number of errors when importing a ModSecurity v2 file
stats.exim.import.modsec2.file.message global counter The number of ModSecurity v2 messages imported via a file
stats.exim.import.url.file global counter The number of URL files imported
stats.exim.import.url.file.errors global counter The number of errors when importing a URL file
stats.exim.import.url.file.message global counter The number of URLs imported via a file
stats.exim.import.zap.file global counter The number of ZAP files imported
stats.exim.import.zap.file.errors global counter The number of errors when importing a ZAP file
stats.exim.import.zap.file.message global counter The number of ModSecurity v2 messages imported via a file
stats.exim.save.har.file global counter The number of HAR Files saved
stats.exim.save.har.file.errors global counter The number of errors when saving a HAR file
stats.exim.save.har.file.message global counter The number of HAR messages saves to a files
stats.exim.save.raw.file.msg global counter The number of messages saved as raw files
stats.exim.save.raw.file.msg.errors global counter The number of errors when saving messages as raw files
stats.exim.save.xml.file.msg global counter The number of messages saved as XML files
stats.exim.save.xml.file.msg.errors global counter The number of errors when saving messages as XML files
stats.fuzz.<message-type>.started global counter The number of fuzzers started by message type
stats.fuzz.HTTP.message.processors.error global counter The number of fuzzer HTTP message processor errors
stats.fuzz.HTTP.message.processors.run global counter The number of fuzzer HTTP message processors run
stats.fuzz.messages.edited global counter The number of fuzz messages edited
stats.fuzz.messages.sent global counter The number of fuzz messages sent
stats.fuzz.payload.processors.error global counter The number of fuzzer payload processor errors
stats.fuzz.payload.processors.run global counter The number of fuzzer payload processors run
stats.network.send.failure global counter The number of times ZAP has failed to send an HTTP request
stats.network.send.success global counter The number of times ZAP has sucessfully sent an HTTP request
stats.oast.boast.interactions global counter The number of BOAST interactions
stats.oast.boast.payloadsGenerated global counter The number of BOAST payloads generated
stats.oast.callback.interactions global counter The number of callback interactions
stats.oast.callback.payloadsGenerated global counter The number of callback payloads generated
stats.oast.interactsh.interactions global counter The number of Interactsh interactions
stats.oast.interactsh.payloadsGenerated global counter The number of Interactsh payloads generated
stats.pscan.<rule-id>.alerts global counter The number of alerts raised by the given scan rule - from 2.11.0
stats.pscan.<rule-id>.time global counter The cumulative number of milliseconds taken to run the given scan rule - from 2.11.0
stats.pscan.<rule-name> global counter The cumulative number of milliseconds taken to run the given scan rule - DEPRECATED - use stats.pscan.<rule-id>.time instead
stats.pscan.reqBodyTooBig global counter The number of requests that have not been passively scanned as they exceed the configured max body size to scan
stats.pscan.respBodyTooBig global counter The number of responses that have not been passively scanned as they exceed the configured max body size to scan
stats.quickstart.news.<news-id> global counter The number of times the given news item has been clicked on
stats.reports.error.<template-name> global counter The number of errors by template name
stats.reports.generated.<template-name> global counter The number of reports generated by template name
stats.reports.nofile.<template-name> global counter The number of File Not Found errors by template name
stats.responseTime.<time-slice> site counter The number of messages with response times in milliseconds the given (logarithmic) time slice (1, 2, 4, 8 etc)
stats.script.call.<engine-name>.<type> global counter The number of times the given type of script has been called - from 2.11.0
stats.script.error.<engine-name>.<type> global counter The number of times the given type of script has been returned an error - from 2.11.0
stats.selenium.launch.<browser-id> global counter The number of time the given browser has been launched
stats.selenium.launch.<requester-id>.<browser-id> global counter The number of times the given browser has been successfully launched for the requester
stats.selenium.launch.<requester-id>.<browser-id>.failure global counter The number of times the given browser has failed to launch for the requester
stats.spider.started global counter The number of times the spider has been started - from 2.11.0
stats.spider.stopped global counter The number of times the spider has been stopped (as opposed to completing) - from 2.11.0
stats.spider.time global counter The total number of milliseconds the spider has run for across all scans - from 2.11.0
stats.spider.url.error global counter The number of URLs the spider has found but failed to access - from 2.11.0
stats.spider.url.found global counter The number of URLs the spider has found and accessed - from 2.11.0
stats.tag.<tag-name> site counter The number of messages containing the given tag
stats.tech.reqcount.id site highwatermark The highest request count the successfully identified a new technology for the site
stats.tech.reqcount.total site highwatermark The total number of requests analysed to detect technology for the site
stats.websockets.bytes.incoming site counter The cumulative number of incoming websocket bytes received
stats.websockets.bytes.outgoing site counter The cumulative number of outgoing websocket bytes sent
stats.websockets.close site counter The number of times a websocket connection was closed
stats.websockets.count.incoming site counter The number of incoming websocket messages
stats.websockets.count.outgoing site counter The number of outgoing websocket messages
stats.websockets.opcode.<opcode> site counter The number of websocket messages by opcode
stats.websockets.open site counter The number of times a websocket connection was opened
stats.websockets.pscan.<pscanname> global counter The number of times the given rule was run against a message

The scope can be:

  • global - the stats are maintained for ZAP as a whole
  • site - the stats are maintained on a per site basis

The type can be:

  • counter: an incrementing counter
  • highwatermark: the maximum value seen