ZAP Custom Payloads not working
194 views
Skip to first unread message
Uday Datrak
Jul 23, 2021, 7:50:02 AM7/23/21
to OWASP ZAP User Group
Hi Team,
I open ZAP -> tools -> options -> custom payloads -> add mutiple payloads
and selected 100 XSS payloads from the file and all of them are enabled as shown below
now when I open the analyze -> scan policy manager, I cannot see the custom payloads
and also when I run the active scan, I cannot see these payloads are sent to the website.
I am using the latest version of ZAP 2.10.0
PLEASE HELP
kingthorin+owaspzap
Jul 23, 2021, 8:19:25 AM7/23/21
to OWASP ZAP User Group
You've added the payloads for the Username IDOR scan rule. Which is passive so essentially all those strings are being converted to MD2, MD5, SHA1, etc (5 formats IIRC) and then passively scanned for in responses.
Refer to the individual scan rule write-ups to see which rules support Custom Payloads. As far as I recall there is limited active scan support currently. Perhaps only the User-Agent scan rule.
Simon Bennetts
Jul 23, 2021, 8:22:09 AM7/23/21
to OWASP ZAP User Group
If you want to just make you own attacks then you can use this script: https://github.com/zaproxy/community-scripts/blob/main/active/User%20defined%20attacks.js
Cheers,
Simon
Uday Datrak
Jul 23, 2021, 8:32:00 AM7/23/21
to OWASP ZAP User Group
Thank you all for the replies,
I added payloads under custom payloads - user agent. but all the 100 Payloads are sent only to the User-agent.
This would be an amazing and excellent feature if the payloads get executed for all the parameters instead of the user-agent.
I have to learn how to run this
https://github.com/zaproxy/community-scripts/blob/main/active/User%20defined%20attacks.js file in ZAP
Simon Bennetts
Jul 23, 2021, 8:37:59 AM7/23/21
to OWASP ZAP User Group
- Add that script as an Active Rule script.
- Enable it (right click option)
- Make sure Script Active Scan Rules are enabled (Scan Policy dialog, "Micellaneous" section)
- Run an active scan
You can always create a scan policy with just Script Active Scan Rules enabled then it will be easer to see your attacks :)
Uday Datrak
Jul 23, 2021, 9:15:21 AM7/23/21
to zaprox...@googlegroups.com
Thank you so much, The active scan rule is working fine, I just 10 payloads and I can see them in the active scan history for the parameters.
ONE LAST question, Is there any database for active scan scripts like LFI active scan script, RFI active scan script, SSTI, SSI, etc....
--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/NdCSdelUcpU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/463803c6-69fb-43f3-ba05-8044cb304087n%40googlegroups.com.
Simon Bennetts
Jul 26, 2021, 3:34:23 AM7/26/21
to OWASP ZAP User Group
I'm not aware of any definitive list.
If anyone knows of any good lists of payloads then do let us know :)
Reply all
Reply to author
Forward
0 new messages