Zap
The ZAP Fuzzer
Fuzzing essentially means throwing lots of data at a system and monitoring the response. The data can be invalid, random, or a list of specific values that you choose.
To use the ZAP fuzzer, first set up ZAP as the intercepting proxy. Try logging in to the web app with a valid username (username for the account you wish to exploit) and any password. Using the ZAP interface, find the login POST request, right-click it, and then select âAttackâ â âFuzzâ
This will bring up the âFuzzerâ window, which will display the POST request and the body of the message sent. Highlight the parameter you wish to fuzz â in this case the password, so âchangeMeâ is highlighted â and then select âAddâ in the top-right of the window.
This will bring up a âPayloadsâ window. Click âAddâ again to open the âAdd Payloadâ window.
In the âFileâ input field, click âSelectâŚâ and navigate to â/usr/share/wordlistsâ to select a wordlist. It should be noted that there are many wordlists to choose from
Upon clicking âOpenâ you should be returned to the âAdd Payloadâ window where the âPayloads Previewâ should now be populated with the wordlist passwords.
Click âAddâ, which will return you to the âPayloadsâ window, and then click âOKâ to return to the âFuzzerâ window.
You will note that the âFuzz Locationsâ input field now contains an item, which is the wordlist just provided to it. Click âStart Fuzzerâ to begin the brute-force attack.
The Results
When looking at the results from the ZAP fuzzer, the key attributes to consider are the response code returned, âCodeâ, and the size of the response body, âSize Resp. Bodyâ.
You can order by the size of the response or the code, which allows you to quickly discover anomalous results. If the brute-force attack was successful it is this anomalous result that you want to identify, as the difference suggests it didn't receive the standard âincorrect passwordâ error, making it likely that this result was a successful login. You can then assume that the associated payload, which can be seen in the âPayloadsâ attribute in the rightmost column of the fuzzer output, is the correct password for the user.
Last updated