Fuzzing multiple params - but one at a time (no combinations)
1,270 views
Skip to first unread message
ch
Aug 23, 2015, 5:10:16 PM8/23/15
to OWASP ZAP Developer Group
Folks,
The new additions to the fuzzer are excellent!
One thing I have been trying to do recently is as follows:
For each post param in a message fuzz across a set of defined values while leaving all other post params in their original state.
(ex. of fuzz values A/B - original value O)
- A O O O O
- B O O O O
- O A O O O
- O B O O O
- O O A O O
- ...
I have not found to automate this without manually configuring and running a new fuzzer for each param (manual work to define each param location, configure the same payload for each, etc.)
Things I have investigated:
- Fuzz all post params at one time (this generates many permutations I don't care about (as shown below using same terms as above)
- A A A A A
- A A A A B
- A A A B A
- A A A B B
- A A B A A
- ...
- Use fuzz script hooks:
- "Payload Generator" (work scoped to payload value generation - not request message modification/prep)
- "Payload Processor" (work scoped to payload processing - not request message modification/prep)
- "Fuzzer HTTP Processor" (work scoped to response message processing to identify interesting states - not request message modification/prep)
Am I missing a way to automate this that is currently supported?
If not - is this type of fuzzing behavior currently requested or under consideration as a future enhancement?
Thanks in advance!
thc...@gmail.com
Aug 23, 2015, 6:48:52 PM8/23/15
to zaproxy...@googlegroups.com
Hi.
It's possible to do that with scripts, "Fuzzer HTTP Processor" allows to
change the message before being sent, but it's not straightforward (at
least without knowing some internal classes).
I can help with that if you are interested though.
What's the content type of the body? x-www-form-urlencoded? JSON?
What's the source of the payloads? File Fuzzers? External file? Strings?
It surely is something that should be supported (actually, it did during
development but didn't reach the final version).
Please, raise an issue. [1]
[1] https://github.com/zaproxy/zaproxy/issues/new
Best regards.
On 23/08/15 22:10, ch wrote:
> Folks,
>
> The new additions to the fuzzer are excellent!
>
> One thing I have been trying to do recently is as follows:
>
> For each post param in a message fuzz across a set of defined values
> while leaving all other post params in their original state.
> (ex. of fuzz values A/B - original value O)
>
> * A O O O O
> * B O O O O
> * O A O O O
> * O B O O O
> * O O A O O
> * ...
> o A A A A B
> o A A A B A
> o A A A B B
> o A A B A A
> o ...
> * Use fuzz script hooks:
> o "Payload Generator" (work scoped to payload value generation -
> not request message modification/prep)
> o "Payload Processor" (work scoped to payload processing - not
> request message modification/prep)
> o "Fuzzer HTTP Processor" (work scoped to response message
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP Developer Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-devel...@googlegroups.com
> <mailto:zaproxy-devel...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.
It's possible to do that with scripts, "Fuzzer HTTP Processor" allows to
change the message before being sent, but it's not straightforward (at
least without knowing some internal classes).
I can help with that if you are interested though.
What's the content type of the body? x-www-form-urlencoded? JSON?
What's the source of the payloads? File Fuzzers? External file? Strings?
It surely is something that should be supported (actually, it did during
development but didn't reach the final version).
Please, raise an issue. [1]
[1] https://github.com/zaproxy/zaproxy/issues/new
Best regards.
On 23/08/15 22:10, ch wrote:
> Folks,
>
> The new additions to the fuzzer are excellent!
>
> One thing I have been trying to do recently is as follows:
>
> For each post param in a message fuzz across a set of defined values
> while leaving all other post params in their original state.
> (ex. of fuzz values A/B - original value O)
>
> * B O O O O
> * O A O O O
> * O B O O O
> * O O A O O
> * ...
>
> I have not found to automate this without manually configuring and
> running a new fuzzer for each param (manual work to define each param
> location, configure the same payload for each, etc.)
>
> Things I have investigated:
>
> * Fuzz all post params at one time (this generates many permutations I
> I have not found to automate this without manually configuring and
> running a new fuzzer for each param (manual work to define each param
> location, configure the same payload for each, etc.)
>
> Things I have investigated:
>
> don't care about (as shown below using same terms as above)
> o A A A A A
> o A A A A B
> o A A A B A
> o A A A B B
> o A A B A A
> o ...
> * Use fuzz script hooks:
> o "Payload Generator" (work scoped to payload value generation -
> not request message modification/prep)
> o "Payload Processor" (work scoped to payload processing - not
> request message modification/prep)
> o "Fuzzer HTTP Processor" (work scoped to response message
> processing to identify interesting states - not request message
> modification/prep)
>
> Am I missing a way to automate this that is currently supported?
>
> If not - is this type of fuzzing behavior currently requested or under
> consideration as a future enhancement?
>
>
> Thanks in advance!
>
> --
> modification/prep)
>
> Am I missing a way to automate this that is currently supported?
>
> If not - is this type of fuzzing behavior currently requested or under
> consideration as a future enhancement?
>
>
> Thanks in advance!
>
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP Developer Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-devel...@googlegroups.com
> <mailto:zaproxy-devel...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.
ch
Aug 23, 2015, 8:34:48 PM8/23/15
to OWASP ZAP Developer Group
Thank you for the response - started looking at Fuzzer HTTP Processor closer.
The HTTP Request Body is of the form "param=val¶m=val¶m-val".
Payloads are File (or Strings for right now).
I took a first stab at using processMessage() by trying to retrieve and use the collection of form HttpParameter objects but it didn't seem to be actually changing the request body.
Any guidance/thoughts would be appreciated - I'll raise an issue shortly.
Thanks!
> <mailto:zaproxy-develop+unsub...@googlegroups.com>.
thc...@gmail.com
Aug 24, 2015, 5:39:06 AM8/24/15
to zaproxy...@googlegroups.com
Hi.
Attached the scripts to fuzz HTTP form with no combinations:
"empty_payloads.js" - a "Payload Generator" script to initiate the
fuzzer (it just creates empty payloads). The number of payloads should
be high enough to allow all parameters to be fuzzed with all payloads
(i.e. NUMBER_OF_PAYLOADS >= number of parameters * number of payloads);
"no_combinations_http_form_fuzzer.js" - a "Fuzzer HTTP Processor" script
that does the injection of payloads and is responsible to stop the
fuzzer once all payloads/parameters are fuzzed.
Tested with ZAP 2.4.1, using Nashorn as JavaScript engine.
Following the steps to use them:
(with scripts already added to ZAP and ready to fuzz the message)
1. Open the "Fuzzer" dialogue, select a position (i.e. no selection) in
the header or body (e.g. "Header [0]" or "Body [0]"), add it and choose
the script "empty_payloads.js" for generation of payloads.
2. In "Message Processors" tab add the script
"no_combinations_http_form_fuzzer.js" (you can remove the other
processors, specially content length updater, it's not needed);
3. Start the fuzzer.
In the "Fuzzer" tab the column "Payloads" should show the parameter (and
payload) being fuzzed.
The script "no_combinations_http_form_fuzzer.js" is using strings for
payloads but there are commented statements that allow to load the
payloads form a file.
Let me know if you have any question/comment about the scripts.
Best regards.
> > <mailto:zaproxy-devel...@googlegroups.com>.
Attached the scripts to fuzz HTTP form with no combinations:
"empty_payloads.js" - a "Payload Generator" script to initiate the
fuzzer (it just creates empty payloads). The number of payloads should
be high enough to allow all parameters to be fuzzed with all payloads
(i.e. NUMBER_OF_PAYLOADS >= number of parameters * number of payloads);
"no_combinations_http_form_fuzzer.js" - a "Fuzzer HTTP Processor" script
that does the injection of payloads and is responsible to stop the
fuzzer once all payloads/parameters are fuzzed.
Tested with ZAP 2.4.1, using Nashorn as JavaScript engine.
Following the steps to use them:
(with scripts already added to ZAP and ready to fuzz the message)
1. Open the "Fuzzer" dialogue, select a position (i.e. no selection) in
the header or body (e.g. "Header [0]" or "Body [0]"), add it and choose
the script "empty_payloads.js" for generation of payloads.
2. In "Message Processors" tab add the script
"no_combinations_http_form_fuzzer.js" (you can remove the other
processors, specially content length updater, it's not needed);
3. Start the fuzzer.
In the "Fuzzer" tab the column "Payloads" should show the parameter (and
payload) being fuzzed.
The script "no_combinations_http_form_fuzzer.js" is using strings for
payloads but there are commented statements that allow to load the
payloads form a file.
Let me know if you have any question/comment about the scripts.
Best regards.
> > For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP Developer Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-devel...@googlegroups.com
> <mailto:zaproxy-devel...@googlegroups.com>.
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP Developer Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-devel...@googlegroups.com
kingthorin+owaspzap
May 30, 2017, 12:48:52 PM5/30/17
to OWASP ZAP Developer Group
Thu Nguyen Dang
Jul 3, 2018, 4:39:59 AM7/3/18
to OWASP ZAP Developer Group
Hi thc202,
I try your script and it work very good. But i want to get payload from payloads tab on UI, not from fixed file. Are there any example about get payload from payloads tab on UI?
Reply all
Reply to author
Forward
0 new messages