Is fuzzing api available in new version of zap?
45 views
Skip to first unread message
Sridatta S P
Jul 2, 2024, 5:52:28 AM (4 days ago) Jul 2
to ZAP Developer Group
Hi,
In our last discussion, we came to know fuzzingapi is not available and hence we can't automate in python.
Are there any updates whether fuzzing api is available in latest version?
Thanks & Regards,
Sridatta
psiinon
Jul 2, 2024, 5:55:00 AM (4 days ago) Jul 2
to ZAP Developer Group
Hi Sridatta,
No updates.
There is an open issue: https://github.com/zaproxy/zaproxy/issues/1689
If you would like to work on it then just let us know :)
Cheers,
Simon
Sridatta S P
Jul 2, 2024, 7:19:44 AM (4 days ago) Jul 2
to ZAP Developer Group
Okay. We use fuzzing more than active scan and now we are trying to automate the fuzzing.
Are there any references where we can see how a basic sql injection in fuzzing is done?
For example:
What is the selection criteria for fuzzing? Do we need to select URL end-point or input fields in respone?
What are the payloads ?
How to send payloads?
Thanks & Regards,
Sridatta
psiinon
Jul 2, 2024, 7:24:59 AM (4 days ago) Jul 2
to ZAP Developer Group
Hi Sridatta,
In ZAP terminology active scanning is the process of automating the finding of vulnerabilities by sending payloads.
Fuzzing is the process of manually finding vulnerabilities by sending payloads and then checking them manually.
If you want to automate fuzzing then you are really talking about active scanning.
The active scanninbg infrastracture is set up for all sorts of automation.
The fuzzing infrastructure is not.
Does that make sense?
Cheers,
Simon
Sridatta S P
Jul 2, 2024, 8:01:50 AM (4 days ago) Jul 2
to ZAP Developer Group
Hi Simon,
Thank you.
Yes, now it looks like active scan.
Our requirement was to automate entire process of a usecase like below which we do in ZAP tool manually.
1. Select an URL end-point or an input field in response instead of full active scan on all recordings.
2. Add payload.
3. Start the fuzz.
4. Note the results.
Two queries:
1/ So, with your above comments, automating this is nothing but an active scan which can be also be automated using api apart from > zap.ascan.scan?
2/ Can we control what end-points, input fields can be considered and what pay loads can be sent in active scan of sql injection? Any examples?
2/ Can we control what end-points, input fields can be considered and what pay loads can be sent in active scan of sql injection? Any examples?
Thanks & Regards,
Sridatta
psiinon
Jul 2, 2024, 9:52:49 AM (4 days ago) Jul 2
to ZAP Developer Group
Hi Sridatta,
As always things are a bit more complicated ;)
With the fuzzer you define exactly what you want to attack. You can attack any part(s) of a request, but you can only attack one request at a time.
With the active scan you can choose the target URL, but ZAP will also let you attack as many endpoints as you like.
If you attack one specific URL then you can specify specific parts of the request if you want. You cannot do this if ZAP is attacking multiple URLs.
You can specify the "input vectors" - the elements that ZAP will attack https://www.zaproxy.org/docs/desktop/ui/dialogs/options/ascaninput/
You can also specify exactly which active scan rules you want to use.
Its worth noting that the interfaces exposed are based on the existing requirements on the desktop, the API and the automation framework.
You may find that the exact interface you need might not currently be available.
Examples?
See the ZAP source code :D
If you want to make changes then you will need to understand how it all works right now.
We also have a lot of relevant docs online, eg https://www.zaproxy.org/docs/contribute/scan-rules/
Cheers,
Simon
Sridatta S P
Jul 2, 2024, 12:18:45 PM (4 days ago) Jul 2
to ZAP Developer Group
Hi SImon,
We are okay in checking with one URL at a time.
So can we consider this type of active scan where we select input fields or url and send payload as alternative to fuzzing?
Below is the example code of performing sql injection, can we consider this as fuzzing?
import requests
# URL of the target application
target_url = "http://example.com/vulnerable_page.php"
# Define the payload set for SQL injection
sql_payloads = [
"' OR 1=1 --",
"admin'; --",
"'; DELETE FROM users WHERE '1'='1",
# Add more payloads as needed
]
# OWASP ZAP API endpoint for active scan
zap_api_url = "http://localhost:8080/JSON/ascan/action/scan/?zapapiformat=JSON"
# Iterate over payloads and perform fuzzing with SQL injection
for payload in sql_payloads:
# Construct the URL with the SQL injection payload
url_with_payload = f"{target_url}?parameter={payload}"
# Define the parameters for ZAP API request
params = {
'url': url_with_payload,
'addtags': 'sql_injection',
'method': 'GET', # Use POST for POST requests
'attackStrength': 'HIGH', # Adjust as per testing needs
'risk': 'HIGH' # Adjust as per testing needs
}
# Send the request to ZAP API
try:
response = requests.get(zap_api_url, params=params)
response.raise_for_status()
print(f"Scan request sent for payload: {payload}")
except requests.exceptions.RequestException as e:
print(f"Error sending scan request: {e}")
# URL of the target application
target_url = "http://example.com/vulnerable_page.php"
# Define the payload set for SQL injection
sql_payloads = [
"' OR 1=1 --",
"admin'; --",
"'; DELETE FROM users WHERE '1'='1",
# Add more payloads as needed
]
# OWASP ZAP API endpoint for active scan
zap_api_url = "http://localhost:8080/JSON/ascan/action/scan/?zapapiformat=JSON"
# Iterate over payloads and perform fuzzing with SQL injection
for payload in sql_payloads:
# Construct the URL with the SQL injection payload
url_with_payload = f"{target_url}?parameter={payload}"
# Define the parameters for ZAP API request
params = {
'url': url_with_payload,
'addtags': 'sql_injection',
'method': 'GET', # Use POST for POST requests
'attackStrength': 'HIGH', # Adjust as per testing needs
'risk': 'HIGH' # Adjust as per testing needs
}
# Send the request to ZAP API
try:
response = requests.get(zap_api_url, params=params)
response.raise_for_status()
print(f"Scan request sent for payload: {payload}")
except requests.exceptions.RequestException as e:
print(f"Error sending scan request: {e}")
Thanks & Regards,
Sridatta
psiinon
Jul 2, 2024, 12:42:26 PM (4 days ago) Jul 2
to ZAP Developer Group
You can call it whatever you like :)
All I said is how we define "fuzzing" and "active scanning" in ZAP.
What you have specified above is not active scanning, its just sending requests via ZAP.
If that works for you then great, but you are not using the active scanner.
For a related active scan rule which you can change easily then see https://github.com/zaproxy/community-scripts/blob/main/active/User%20defined%20attacks.js
Cheers,
Simon
Sridatta S P
Jul 3, 2024, 2:15:43 AM (3 days ago) Jul 3
to ZAP Developer Group
OK, clear. We can ignore above code. But, in general, can you please share your opinion on below usecase.
When we perform active scan with SQL injection on a URL and also perform fuzzing on same URL, can we see the same results in both cases?
If yes, can we consider active scan as alternative to fuzzing?
Thanks & Regards,
Sridatta
psiinon
Jul 3, 2024, 4:54:40 AM (3 days ago) Jul 3
to zaproxy...@googlegroups.com
No.
Fuzzing is 'just' sending a load of payloads at a target. It will not raise alerts.
Most active scan rules (including the SQLi ones) have significant logic, and should be much more effective than fuzzing.
Cheers
Simon
--
For commerical ZAP support options see https://www.zaproxy.org/support/
ZAP is supported by the Crash Override Open Source Fellowship https://crashoverride.com/open-source?zap=dev
---
You received this message because you are subscribed to the Google Groups "ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/be24f845-49e5-48b5-8b9d-8e6f6193fbf0n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages