How to use Fuzzing feature in OWASP ZAP 2.9.0
First of all , let me mention the Wikipedia definition of Fuzzing .
Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks.
In this demo, I use https://bodgeit.herokuapp.com/login.jsp and try to login with invalid credentials .
This is a continuation of https://smeesheady.medium.com/how-to-configure-owasp-zap-2-9-0-proxy-and-firefox-proxy-and-do-a-session-recording-ac524c4a0f1f
So if you don’t know how to configure proxy and record requests check that first.
Precondtion- Create an account in https://bodgeit.herokuapp.com/login.jsp by giving email and any password.
Then record a login scenario with valid credentials.
Double click on the post request which sends the credentials.
Right click on it and select “Fuzz”.
Remove the default added value , then highlight the field, that need to Fuzz.
So here I highlighted the whole thing.
username=smees@gmail.com&password=rockme600
Assume that I know the email, then just highlight the password=rockme600
and click add button.
Select type as String and enter the values , here I entered 2 invalid credentials and valid credential. Click Add and click Ok.
Then click Start Fuzzer button.
After few seconds , fuzzing will be started and details could be found in Fuzzing tab. So 4 requests were sent , one was the orignal request and other 3 records were based on the payload.
Also, it allows the save both request and response to an xml.
Also we can resend the request.
Also using OWZAP, we could create CSRF proof of concept . So we can Generate anti-CSRF test FORM.
This is for Post requests only. and not for GET requests.
Acronym- CSRF (cross-site request forgery)
Right click on any of post request, (marked in 1 and 2 for easy reference in the below image.) then click Generate anti-CSRF test FORM.
It will create http://localhost:8080/OTHER/acsrf/other/genForm/?apinonce=5c5e9f66c37fe63b&hrefId=97 this link open in an browser.
User can provide valid credentials and submit so it’s navigate to the actual page.
Alternative ways to parameterize-
We can use a .txt file , I created a file and add credentials payload to it.
username=smees@gmail.com&password=555
username=smees@gmail.com&password=rockme600
username=smees@gmail.com&password=rockme600
Then select type as File and browse and select the file. Optionally, we can Limit the numbers of records in the files to be executed by mentioning the value and checking the Limit checkbox.
