Zap

The ZAP Fuzzer

Fuzzing essentially means throwing lots of data at a system and monitoring the response. The data can be invalid, random, or a list of specific values that you choose.

To use the ZAP fuzzer, first set up ZAP as the intercepting proxy. Try logging in to the web app with a valid username (username for the account you wish to exploit) and any password. Using the ZAP interface, find the login POST request, right-click it, and then select ‘Attack’ → ‘Fuzz’

This will bring up the ‘Fuzzer’ window, which will display the POST request and the body of the message sent. Highlight the parameter you wish to fuzz – in this case the password, so ‘changeMe’ is highlighted – and then select ‘Add’ in the top-right of the window.

This will bring up a ‘Payloads’ window. Click ‘Add’ again to open the ‘Add Payload’ window.

In the ‘File’ input field, click ‘Select…’ and navigate to ‘/usr/share/wordlists’ to select a wordlist. It should be noted that there are many wordlists to choose from

Upon clicking ‘Open’ you should be returned to the ‘Add Payload’ window where the ‘Payloads Preview’ should now be populated with the wordlist passwords.

Click ‘Add’, which will return you to the ‘Payloads’ window, and then click ‘OK’ to return to the ‘Fuzzer’ window.

You will note that the ‘Fuzz Locations’ input field now contains an item, which is the wordlist just provided to it. Click ‘Start Fuzzer’ to begin the brute-force attack.

The Results

When looking at the results from the ZAP fuzzer, the key attributes to consider are the response code returned, ‘Code’, and the size of the response body, ‘Size Resp. Body’.

You can order by the size of the response or the code, which allows you to quickly discover anomalous results. If the brute-force attack was successful it is this anomalous result that you want to identify, as the difference suggests it didn't receive the standard ‘incorrect password’ error, making it likely that this result was a successful login. You can then assume that the associated payload, which can be seen in the ‘Payloads’ attribute in the rightmost column of the fuzzer output, is the correct password for the user.