ZAP fuzz with payload automation and reuse of payload
787 views
Skip to first unread message
aad...@gmail.com
Jun 27, 2017, 7:08:42 AM6/27/17
to OWASP ZAP Developer Group
Hi,
Want to automate http request parameter payload test using the ZAP Fuzzing.
Does existing ZAP Java API supports this?
Also I save that Zap 2.6.0 does not supports the saving of payload Configurations.
Is that possible using any java or python APIs?
Thanks,
Aadi
kingthorin+owaspzap
Jun 27, 2017, 8:27:00 AM6/27/17
to OWASP ZAP Developer Group
Since analysis of fuzzing results requires a person a web API has not yet been put in place for the fuzz functionality. We have a long standing ticket on the subject and have been trying (unsuccessfully so far) to get community input on how that should look and work.
https://github.com/zaproxy/zaproxy/issues/1689
https://github.com/zaproxy/zaproxy/issues/1689
aad...@gmail.com
Jun 27, 2017, 12:41:53 PM6/27/17
to OWASP ZAP Developer Group
In fact payload fuzzing(intruding) feature works very well in Burp.
Burp fuzzing (Intruder) is explained in this blog : http://sharememorebrain.blogspot.in/2017/06/burp-intruder-http-request-payload.html
This wiki is about the manual testing of payload.
When I tested the fuzzing feature on ZAP I found that ZAP is not able to save the payload configurations.
Also actual creation of payloads for each string/position is little complex compared to Burp.
Even Burp does not handle 100% automation of payload requests even if we create its plugins i.e certain part we have to run manually.
Thanks,
Aadi
Reply all
Reply to author
Forward
0 new messages