File: internal-statistics.md | Updated: 11/18/2025
ZAP maintains internal statistics which can be accessed via the API .
| Key / Link | Scope | Type | Description | | --- | --- | --- | --- | | automation.spider.urls.added | global | counter | The number of URLs added by the standard spider running in the automation framework | | domxss.attack.<vector> | global | counter | The number of times the given DOM XSS attack vector was used | | domxss.gets.count | global | counter | The number of GET requests made by the DOM XSS scan rule | | domxss.scan.count | global | counter | The number of times the DOM XSS rule was run against a target URL | | domxss.vulns.div1 | global | counter | The number of DOM XSS vulnerabilities found when retrieving div elements | | domxss.vulns.div2 | global | counter | The number of DOM XSS vulnerabilities found when accessing div elements | | domxss.vulns.get1 | global | counter | The number of DOM XSS vulnerabilities found using the first GET request | | domxss.vulns.get2 | global | counter | The number of DOM XSS vulnerabilities found using the first second GET request | | domxss.vulns.input1 | global | counter | The number of DOM XSS vulnerabilities found when retrieving input elements | | domxss.vulns.possibleDomXSSTriggers2 | global | counter | The number of DOM XSS vulnerabilities found using possibleDomXSSTriggers2 | | domxss.vulns.possibleDomXSSTriggers3 | global | counter | The number of DOM XSS vulnerabilities found using possibleDomXSSTriggers3 | | openapi.urls.added | global | counter | The number of URLs added by importing an OpenAPI definition | | soap.urls.added | global | counter | The number of URLs added by importing a SOAP definition | | spiderAjax.urls.added | global | counter | The number of URLs found by the ajax spider | | sqldb.<key>.calls | global | counter | The number of times the SQL statement with the given key has been called | | sqldb.<key>.pool | global | highwatermark | The highest number of prepared statements in the pool for the given key | | sqldb.<key>.time | global | counter | The cumulative number of milliseconds taken by the corresponding SQL statements | | sqldb.conn.closed | global | counter | The number of times the ZAP db has been closed | | sqldb.conn.openned | global | counter | The number of times the ZAP db has been opened | | stats.acsrf.<token-name> | site | counter | The number of times the given token is present in an HTTP response | | stats.alertFilter.<rule-id>.risk.<risk> | site | counter | The number of times the given rule has been changed to the given risk by an alert filter | | stats.api.call.<format>.<component>.<request-type>.<name> | global | counter | The number of times the given API endpoint has been called - from 2.11.0 | | stats.api.error.<format>.<component>.<request-type>.<name> | global | counter | The number of times the given API endpoint has returned an error - from 2.11.0 | | stats.ascan.<rule-id>.alerts | global | counter | The number of alerts the given active scan rule has raised - from 2.11.0 | | stats.ascan.<rule-id>.skipped | global | counter | The number of alerts the given active scan rule has been skipped - from 2.11.0 | | stats.ascan.<rule-id>.started | global | counter | The number of alerts the given active scan rule has been started - from 2.11.0 | | stats.ascan.<rule-id>.time | global | counter | The cumulative number of milliseconds that the given active scan rule has run for - from 2.11.0 | | stats.ascan.<rule-id>.urls | global | counter | The number of URLs that the given active scan rule has requested - from 2.11.0 | | stats.ascan.started | global | counter | The number of times the active scanner has been started - from 2.11.0 | | stats.ascan.stopped | global | counter | The number of times the active scanner has been stopped (as opposed to finishing) - from 2.11.0 | | stats.ascan.time | global | counter | The cumulative number of milliseconds that active scanner has run for - from 2.11.0 | | stats.ascan.urls | global | counter | The number of URLs the active scanner has requested - from 2.11.0 | | stats.auth.browser.nopasswordfield | global | counter | The number of times Browser Based Authentication failed to find a password field | | stats.auth.browser.nouserfield | global | counter | The number of times Browser Based Authentication failed to find a username field | | stats.auth.configure.auth.error | global | counter | The number of errors when automatically configuring context authentication | | stats.auth.configure.auth.form | global | counter | The number of contexts automatically configured for form-based authentication | | stats.auth.configure.auth.json | global | counter | The number of contexts automatically configured for JSON-based authentication | | stats.auth.configure.session.header | global | counter | The number of contexts automatically configured header based session management | | stats.auth.configure.verification | global | counter | The number of contexts automatically configured for verification | | stats.auth.detect.auth.form | global | counter | The number of form-based authentication requests identified | | stats.auth.detect.auth.json | global | counter | The number of JSON-based authentication requests identified | | stats.auth.detect.register | global | counter | The number of registration requests identified | | stats.auth.detect.session.<token-key> | global | counter | The number of times a session has been detected with the token-key | | stats.auth.failure | site | counter | The number of authentication failures | | stats.auth.session.set.header | global | counter | The number of times a message has been processed to add an authentication header | | stats.auth.sessiontoken.<session-token> | site | counter | The number of times the specified session token has been identified | | stats.auth.state.assumedin | site | counter | The number of messages between successful polls that are assumed to be logged in | | stats.auth.state.loggedin | site | counter | The number of messages that include the logged-in indicator | | stats.auth.state.loggedout | site | counter | The number of messages that include the logged-out indicator | | stats.auth.state.noindicator | site | counter | The number of messages where no logged in or out indicators have been set in the context | | stats.auth.state.unknown | site | counter | The number of messages which don't contain either logged in or out indicators | | stats.auth.success | site | counter | The number of authentication successes | | stats.auto.errors | global | counter | The number of automation errors reported | | stats.auto.job.<job-type>.run | global | counter | The number of times the given automation job type has been run | | stats.auto.jobs.run | global | counter | The number of automation jobs run | | stats.auto.plans.run | global | counter | The number of automation plans run | | stats.auto.warnings | global | counter | The number of automation warnings reported | | stats.break.drop | global | counter | The number of times a request or response has been dropped via a break point - from 2.11.0 | | stats.break.hit | global | counter | The number of times a break point has been hit - from 2.11.0 | | stats.break.step | global | counter | The number of times a break point has been stepped through - from 2.11.0 | | stats.code.<response-code> | site | counter | The number of messages which include the given response code | | stats.contentType.<content-type> | site | counter | The number of messages which include the given content type | | stats.error.core.uncaught | global | counter | The number of uncaught exceptions | | stats.exim.copy.url | global | counter | The number of URLs copied | | stats.exim.import.har.file | global | counter | The number of HAR files imported | | stats.exim.import.har.file.errors | global | counter | The number of errors when importing a HAR file | | stats.exim.import.har.file.message | global | counter | The number of HAR messages imported via a file | | stats.exim.import.har.file.message.errors | global | counter | The number of errors when importing a message via a HAR file | | stats.exim.import.modsec2.file | global | counter | The number of ModSecurity v2 files imported | | stats.exim.import.modsec2.file.errors | global | counter | The number of errors when importing a ModSecurity v2 file | | stats.exim.import.modsec2.file.message | global | counter | The number of ModSecurity v2 messages imported via a file | | stats.exim.import.url.file | global | counter | The number of URL files imported | | stats.exim.import.url.file.errors | global | counter | The number of errors when importing a URL file | | stats.exim.import.url.file.message | global | counter | The number of URLs imported via a file | | stats.exim.import.zap.file | global | counter | The number of ZAP files imported | | stats.exim.import.zap.file.errors | global | counter | The number of errors when importing a ZAP file | | stats.exim.import.zap.file.message | global | counter | The number of ModSecurity v2 messages imported via a file | | stats.exim.save.har.file | global | counter | The number of HAR Files saved | | stats.exim.save.har.file.errors | global | counter | The number of errors when saving a HAR file | | stats.exim.save.har.file.message | global | counter | The number of HAR messages saves to a files | | stats.exim.save.raw.file.msg | global | counter | The number of messages saved as raw files | | stats.exim.save.raw.file.msg.errors | global | counter | The number of errors when saving messages as raw files | | stats.exim.save.xml.file.msg | global | counter | The number of messages saved as XML files | | stats.exim.save.xml.file.msg.errors | global | counter | The number of errors when saving messages as XML files | | stats.formhandler.add | global | counter | The number of Value Generator field configurations added | | stats.formhandler.add.<name> | global | counter | The number of Value Generator field configurations added (by name) | | stats.formhandler.modify | global | counter | The number of Value Generator field configurations modified | | stats.formhandler.modify.<name> | global | counter | The number of Value Generator field configurations modified (by name) | | stats.formhandler.remove | global | counter | The number of Value Generator field configurations removed | | stats.formhandler.remove.<name> | global | counter | The number of Value Generator field configurations removed (by name) | | stats.fuzz.<message-type>.started | global | counter | The number of fuzzers started by message type | | stats.fuzz.HTTP.message.processors.error | global | counter | The number of fuzzer HTTP message processor errors | | stats.fuzz.HTTP.message.processors.run | global | counter | The number of fuzzer HTTP message processors run | | stats.fuzz.messages.edited | global | counter | The number of fuzz messages edited | | stats.fuzz.messages.sent | global | counter | The number of fuzz messages sent | | stats.fuzz.payload.processors.error | global | counter | The number of fuzzer payload processor errors | | stats.fuzz.payload.processors.run | global | counter | The number of fuzzer payload processors run | | stats.log.error | global | counter | The number of logged errors | | stats.log.error.<logger-name> | global | counter | The number of logged errors for the specific logger | | stats.log.fatal | global | counter | The number of logged fatals | | stats.log.fatal.<logger-name> | global | counter | The number of logged fatals for the specific logger | | stats.log.warn | global | counter | The number of logged warns | | stats.log.warn.<logger-name> | global | counter | The number of logged warns for the specific logger | | stats.network.send.failure | global | counter | The number of times ZAP has failed to send an HTTP request | | stats.network.send.success | global | counter | The number of times ZAP has sucessfully sent an HTTP request | | stats.oast.boast.interactions | global | counter | The number of BOAST interactions | | stats.oast.boast.payloadsGenerated | global | counter | The number of BOAST payloads generated | | stats.oast.callback.interactions | global | counter | The number of callback interactions | | stats.oast.callback.payloadsGenerated | global | counter | The number of callback payloads generated | | stats.oast.interactsh.interactions | global | counter | The number of Interactsh interactions | | stats.oast.interactsh.payloadsGenerated | global | counter | The number of Interactsh payloads generated | | stats.pscan.<rule-id>.alerts | global | counter | The number of alerts raised by the given scan rule - from 2.11.0 | | stats.pscan.<rule-id>.time | global | counter | The cumulative number of milliseconds taken to run the given scan rule - from 2.11.0 | | stats.pscan.<rule-name> | global | counter | The cumulative number of milliseconds taken to run the given passive scanner, for scan rules use stats.pscan.<rule-id>.time | | stats.pscan.recordsToScan | global | highwatermark | The highest message count queued to passive scan | | stats.pscan.reqBodyTooBig | global | counter | The number of requests that have not been passively scanned as they exceed the configured max body size to scan | | stats.pscan.respBodyTooBig | global | counter | The number of responses that have not been passively scanned as they exceed the configured max body size to scan | | stats.quickstart.news.<news-id> | global | counter | The number of times the given news item has been clicked on | | stats.reports.error.<template-name> | global | counter | The number of errors by template name | | stats.reports.generated.<template-name> | global | counter | The number of reports generated by template name | | stats.reports.nofile.<template-name> | global | counter | The number of File Not Found errors by template name | | stats.responseTime.<time-slice> | site | counter | The number of messages with response times in milliseconds the given (logarithmic) time slice (1, 2, 4, 8 etc) | | stats.script.call.<engine-name>.<type> | global | counter | The number of times the given type of script has been called - from 2.11.0 | | stats.script.error.<engine-name>.<type> | global | counter | The number of times the given type of script has been returned an error - from 2.11.0 | | stats.selenium.launch.<browser-id> | global | counter | The number of time the given browser has been launched | | stats.selenium.launch.<requester-id>.<browser-id> | global | counter | The number of times the given browser has been successfully launched for the requester | | stats.selenium.launch.<requester-id>.<browser-id>.failure | global | counter | The number of times the given browser has failed to launch for the requester | | stats.spider.started | global | counter | The number of times the spider has been started - from 2.11.0 | | stats.spider.stopped | global | counter | The number of times the spider has been stopped (as opposed to completing) - from 2.11.0 | | stats.spider.time | global | counter | The total number of milliseconds the spider has run for across all scans - from 2.11.0 | | stats.spider.url.error | global | counter | The number of URLs the spider has found but failed to access - from 2.11.0 | | stats.spider.url.found | global | counter | The number of URLs the spider has found and accessed - from 2.11.0 | | stats.tag.<tag-name> | site | counter | The number of messages containing the given tag | | stats.tech.reqcount.id | site | highwatermark | The highest request count the successfully identified a new technology for the site | | stats.tech.reqcount.total | site | highwatermark | The total number of requests analysed to detect technology for the site | | stats.websockets.bytes.incoming | site | counter | The cumulative number of incoming websocket bytes received | | stats.websockets.bytes.outgoing | site | counter | The cumulative number of outgoing websocket bytes sent | | stats.websockets.close | site | counter | The number of times a websocket connection was closed | | stats.websockets.count.incoming | site | counter | The number of incoming websocket messages | | stats.websockets.count.outgoing | site | counter | The number of outgoing websocket messages | | stats.websockets.opcode.<opcode> | site | counter | The number of websocket messages by opcode | | stats.websockets.open | site | counter | The number of times a websocket connection was opened | | stats.websockets.pscan.<pscanname> | global | counter | The number of times the given rule was run against a message |
The scope can be:
The type can be: