detect form parameter in fuzzer

[samcker dodi]

Hello everyone 

i had a situation where i want to brute force the password and there is additional parameter in the form named (token) and it is validated in the backend and it changes in each time the page reloaded so i need the ZAP fuzzer to retrieve this parameter value in each request then reuse it in brute force the password . How could i do this 

Here is the screenshot of the request in ZAP 

thanks guys 

[samcker dodi]

thanks guys i have solved it with zest script using this amazing tutorial 
https://medium.com/@ecralevhack/solving-portswiggers-2fa-bypass-using-a-brute-force-attack-lab-with-owasp-zap-befe780b9afc
but now i need this script to be multithreaded and run quickly . How could i do it because no reference to do this with multi threaded 

Thanks in advance 

[psiinon]

You can set the threads used via the Fuzzer Options: https://www.zaproxy.org/docs/desktop/addons/fuzzer/options/#concurrent-scanning-threads-per-scan

Cheers,

Simon

[samcker dodi]

Thanks Simon but how to run the zest script from fuzzer ?? i have used fuzzer a lot and know the threads options but how to apply these threads options in fuzzer on zest script ?? 

Thanks in advance 

[thc...@gmail.com]

The fuzzer will automatically regenerate the anti-csrf token, if it
knows there's one:
https://www.zaproxy.org/docs/desktop/addons/fuzzer/httpmessageprocessors/#anti-csrf-token-refresher


You can't use Zest scripts, it only supports programming languages:
https://www.zaproxy.org/docs/desktop/addons/fuzzer/httpmessageprocessors/#fuzzer-http-processor-script

Best regards.