Payload Generator Script

[Ailton Caetano]

As thrilled as we all are with the 2.4 release, i took upon the task of learning about the new scripted fuzzing method.

My debugging variables show me that everything is running fine, but i couldn't find a way to know the payload used in each interaction in the "Fuzzer" tab. Do i have to install a plugin or am i just not looking at the right place?

Again, congratulations for a well done task!

Kind Regards,

Ailton Caetano

[thc...@gmail.com]

Hi.

The payload values used in each fuzz task are shown in the "Payloads"
column.
Depending on the number and length you might need to resize the column
to see them all (also, you might want to enable "Horizontal Scroll" and
"Pack All Columns" as it's a lot easier to see everything, those options
are under a context menu shown by clicking the icon just above the
vertical scroll bar).

Aren't the payloads shown in that column? Or, isn't that what you mean?

Best regards.

> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.

[Ailton Caetano]

Yep, there are no payloads in that column...

here is my script: https://github.com/DarkLighting/OWASP-ZAP-Scripts/blob/dev/payload_generator/bruteforce.py

[]'s Ailton

To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.

[thc...@gmail.com]

It's working for me :/

Attached a screen capture, useless but....

Does the "passfile" contain anything special?
Are the payloads correctly set into the fuzzed messages sent?

Best regards.

On 21/04/15 00:49, Ailton Caetano wrote:
> Yep, there are no payloads in that column...
>
> here is my script:
> https://github.com/DarkLighting/OWASP-ZAP-Scripts/blob/dev/payload_generator/bruteforce.py
>
>
> []'s Ailton
>

> 2015-04-20 19:46 GMT-03:00 <thc...@gmail.com <mailto:thc...@gmail.com>>:

> <mailto:zaproxy-users%2Bunsu...@googlegroups.com>
> <mailto:zaproxy-user...@googlegroups.com
> <mailto:zaproxy-users%2Bunsu...@googlegroups.com>>.

> For more options, visit https://groups.google.com/d/optout.
>
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to zaproxy-user...@googlegroups.com

> <mailto:zaproxy-users%2Bunsu...@googlegroups.com>.

[Ailton Caetano]

Unfortunately the test site is offline now and as we have a holiday tomorrow (Rio de Janeiro), probably my next window for testing will only be on wednesday.

My previous tests had only one row in the "Fuzzer" tab and it was empty at the payload column. But i'll do it again and try to match your results.

Thanks for your help and your time, thc202.

Kind Regards,

Ailton Caetano

To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.

[thc...@gmail.com]

Hi.

OK, no problem.

Yes, the first row does not have any payloads it just contains the
original message (for comparison purposes with the fuzzed messages).

Did you notice if there were any errors? If a message is malformed or it
was not possible to send it (because of I/O errors) it will end up in
the "Errors" tab (shown after clicking "Show Errors" button).

Did you use a "Fuzzer HTTP Processor" script?


You're welcome :)

Best regards.

On 21/04/15 05:05, Ailton Caetano wrote:
> Unfortunately the test site is offline now and as we have a holiday
> tomorrow (Rio de Janeiro), probably my next window for testing
> will only be on wednesday.
>
> My previous tests had only one row in the "Fuzzer" tab and it was empty
> at the payload column. But i'll do it again and try to match your results.
>
>
> Thanks for your help and your time, thc202.
>
>
> Kind Regards,
>
> Ailton Caetano
>

> 2015-04-20 22:00 GMT-03:00 <thc...@gmail.com <mailto:thc...@gmail.com>>:

>
> It's working for me :/
>
> Attached a screen capture, useless but....
>
> Does the "passfile" contain anything special?
> Are the payloads correctly set into the fuzzed messages sent?
>
> Best regards.
>
> On 21/04/15 00:49, Ailton Caetano wrote:
>
> Yep, there are no payloads in that column...
>
> here is my script:
> https://github.com/DarkLighting/OWASP-ZAP-Scripts/blob/dev/payload_generator/bruteforce.py
>
>
> []'s Ailton
>
> 2015-04-20 19:46 GMT-03:00 <thc...@gmail.com

> <mailto:thc...@gmail.com> <mailto:thc...@gmail.com

> <mailto:zaproxy-users%2Bunsu...@googlegroups.com
> <mailto:zaproxy-users%252Buns...@googlegroups.com>>
> <mailto:zaproxy-user...@googlegroups.com
> <mailto:zaproxy-users%2Bunsu...@googlegroups.com>
> <mailto:zaproxy-users%2Bunsu...@googlegroups.com
> <mailto:zaproxy-users%252Buns...@googlegroups.com>>>.

> For more options, visit https://groups.google.com/d/optout.
>
>
> --
> You received this message because you are subscribed to the
> Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails
> from it,
> send an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-users%2Bunsu...@googlegroups.com>

> <mailto:zaproxy-users%2Bunsu...@googlegroups.com
> <mailto:zaproxy-users%252Buns...@googlegroups.com>>.

[Ailton Caetano]

Inline

2015-04-21 10:07 GMT-03:00 <thc...@gmail.com>:

Hi.

OK, no problem.

Yes, the first row does not have any payloads it just contains the original message (for comparison purposes with the fuzzed messages).

That pretty much solves the mistery! I though the site was still online once i got this row back. So, what i though was a script error was just the test site being offline, as i tried it again today and everything worked just fine.

I got some errors on previous attempts on this fuzzer, but the latter was taking too long to show something other that original row to be a connection problem.

Now talking about the "Fuzzer HTTP Processor", i actually thought of using that one, but there is no template for it inside ZAP so i resorted to a "payload generator script". 

Can you show us some example about this "Fuzzer HTTP Processor" or just the expected functions signatures? That way i may try something different and maybe come up with a better solution to my task.

Kind Regards,

Ailton Caetano

 

To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.

[thc...@gmail.com]

Hi.

OK. That doesn't sound right.
What connection timeout [1] value do you have?
Did you change the number of retries on I/O error?
I'm wondering, if the values are high enough it would end up take an
eternity to give up and fail the fuzz tasks.


Yeah, about the "Fuzzer HTTP Processor", there is a (JavaScript)
template though it's not being loaded (a bug that will be fixed in next
release of fuzzer add-on).
It's in ZAP's "home" dir [2] under "scripts/templates/httpfuzzerprocessor/".


[1]
https://code.google.com/p/zaproxy/wiki/HelpUiDialogsOptionsConnection#Timeout_in_seconds
[2] https://code.google.com/p/zaproxy/wiki/FAQconfig

Best regards.

On 22/04/15 15:14, Ailton Caetano wrote:
> Inline
>

> 2015-04-21 10:07 GMT-03:00 <thc...@gmail.com <mailto:thc...@gmail.com>>:

> <mailto:thc...@gmail.com> <mailto:thc...@gmail.com

> <mailto:thc...@gmail.com>>>:
>
> It's working for me :/
>
> Attached a screen capture, useless but....
>
> Does the "passfile" contain anything special?
> Are the payloads correctly set into the fuzzed messages sent?
>
> Best regards.
>
> On 21/04/15 00:49, Ailton Caetano wrote:
>
> Yep, there are no payloads in that column...
>
> here is my script:
> https://github.com/DarkLighting/OWASP-ZAP-Scripts/blob/dev/payload_generator/bruteforce.py
>
>
> []'s Ailton
>
> 2015-04-20 19:46 GMT-03:00 <thc...@gmail.com
> <mailto:thc...@gmail.com>
> <mailto:thc...@gmail.com <mailto:thc...@gmail.com>>
> <mailto:thc...@gmail.com <mailto:thc...@gmail.com>
>

> <mailto:thc...@gmail.com <mailto:thc...@gmail.com>>>>:

> <mailto:zaproxy-users%2Bunsu...@googlegroups.com
> <mailto:zaproxy-users%252Buns...@googlegroups.com>
> <mailto:zaproxy-users%252Buns...@googlegroups.com
> <mailto:zaproxy-users%25252Bun...@googlegroups.com>>>

>
> <mailto:zaproxy-user...@googlegroups.com
> <mailto:zaproxy-users%2Bunsu...@googlegroups.com>
> <mailto:zaproxy-users%2Bunsu...@googlegroups.com
> <mailto:zaproxy-users%252Buns...@googlegroups.com>>
>
> <mailto:zaproxy-users%2Bunsu...@googlegroups.com
> <mailto:zaproxy-users%252Buns...@googlegroups.com>

> <mailto:zaproxy-users%252Buns...@googlegroups.com
> <mailto:zaproxy-users%25252Bun...@googlegroups.com>>>>.

> For more options, visit
> https://groups.google.com/d/optout.
>
>
> --
> You received this message because you are
> subscribed to the
> Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving
> emails
> from it,
> send an email to
> zaproxy-user...@googlegroups.com
> <mailto:zaproxy-users%2Bunsu...@googlegroups.com>
> <mailto:zaproxy-users%2Bunsu...@googlegroups.com
> <mailto:zaproxy-users%252Buns...@googlegroups.com>>
>

> <mailto:zaproxy-users%2Bunsu...@googlegroups.com
> <mailto:zaproxy-users%252Buns...@googlegroups.com>
> <mailto:zaproxy-users%252Buns...@googlegroups.com
> <mailto:zaproxy-users%25252Bun...@googlegroups.com>>>.

[Ailton Caetano]

The connection timeout is 20 seconds and the fuzzer is configured to make 3 retries on IO/Errors, adding up to 1 minute until reporting error on the first connection.

 What i though was that "If i got this row, the site must be online, so why only one request came back and the others are taking more than 30 seconds to get back? This can't be a connection error, it must be something with the script". And i didn't come back after that minute to check it...

But it turned out i was wrong and the issue was really the server.

Thanks! Just found the template. I'll try to throw it into some task to start practicing...

Kind Regards,

Ailton Caetano

To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.

[thc...@gmail.com]

Hi.

OK. Good to know, thanks!

Let us know if there's anything essential missing in the fuzzer
processor script.

Best regards.

On 22/04/15 17:17, Ailton Caetano wrote:
> The connection timeout is 20 seconds and the fuzzer is configured to
> make 3 retries on IO/Errors, adding up to 1 minute until reporting error
> on the first connection.
>
> What i though was that "If i got this row, the site must be online, so
> why only one request came back and the others are taking more than 30
> seconds to get back? This can't be a connection error, it must be
> something with the script". And i didn't come back after that minute to
> check it...
>
> But it turned out i was wrong and the issue was really the server.
>
>
> Thanks! Just found the template. I'll try to throw it into some task to
> start practicing...
>
>
> Kind Regards,
>
> Ailton Caetano
>

> 2015-04-22 12:07 GMT-03:00 <thc...@gmail.com <mailto:thc...@gmail.com>>:

>
> Hi.
>
> OK. That doesn't sound right.
> What connection timeout [1] value do you have?
> Did you change the number of retries on I/O error?
> I'm wondering, if the values are high enough it would end up take an
> eternity to give up and fail the fuzz tasks.
>
>
> Yeah, about the "Fuzzer HTTP Processor", there is a (JavaScript)
> template though it's not being loaded (a bug that will be fixed in
> next release of fuzzer add-on).
> It's in ZAP's "home" dir [2] under
> "scripts/templates/httpfuzzerprocessor/".
>
>
> [1]
> https://code.google.com/p/zaproxy/wiki/HelpUiDialogsOptionsConnection#Timeout_in_seconds
> [2] https://code.google.com/p/zaproxy/wiki/FAQconfig
>
> Best regards.
>
> On 22/04/15 15:14, Ailton Caetano wrote:
>
> Inline
>
> 2015-04-21 10:07 GMT-03:00 <thc...@gmail.com
> <mailto:thc...@gmail.com> <mailto:thc...@gmail.com
> <mailto:thc...@gmail.com>>>:
>
>
> Hi.
>

> <mailto:thc...@gmail.com <mailto:thc...@gmail.com>
> <mailto:thc...@gmail.com <mailto:thc...@gmail.com>>>>:

> <mailto:zaproxy-users%252Buns...@googlegroups.com
> <mailto:zaproxy-users%25252Bun...@googlegroups.com>
>
> <mailto:zaproxy-users%25252Bun...@googlegroups.com
> <mailto:zaproxy-users%2525252Bu...@googlegroups.com>>>>

>
> <mailto:zaproxy-user...@googlegroups.com
> <mailto:zaproxy-users%2Bunsu...@googlegroups.com>
> <mailto:zaproxy-users%2Bunsu...@googlegroups.com
> <mailto:zaproxy-users%252Buns...@googlegroups.com>>
>
> <mailto:zaproxy-users%2Bunsu...@googlegroups.com
> <mailto:zaproxy-users%252Buns...@googlegroups.com>
> <mailto:zaproxy-users%252Buns...@googlegroups.com
> <mailto:zaproxy-users%25252Bun...@googlegroups.com>>>
>
> <mailto:zaproxy-users%2Bunsu...@googlegroups.com
> <mailto:zaproxy-users%252Buns...@googlegroups.com>
> <mailto:zaproxy-users%252Buns...@googlegroups.com
> <mailto:zaproxy-users%25252Bun...@googlegroups.com>>
>

> <mailto:zaproxy-users%252Buns...@googlegroups.com
> <mailto:zaproxy-users%25252Bun...@googlegroups.com>
>
> <mailto:zaproxy-users%25252Bun...@googlegroups.com
> <mailto:zaproxy-users%2525252Bu...@googlegroups.com>>>>>.

> For more options, visit
> https://groups.google.com/d/optout.
>
>
> --
> You received this message because you are
> subscribed to the
> Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop
> receiving
> emails
> from it,
> send an email to
> zaproxy-user...@googlegroups.com
> <mailto:zaproxy-users%2Bunsu...@googlegroups.com>
> <mailto:zaproxy-users%2Bunsu...@googlegroups.com
> <mailto:zaproxy-users%252Buns...@googlegroups.com>>
>
> <mailto:zaproxy-users%2Bunsu...@googlegroups.com
> <mailto:zaproxy-users%252Buns...@googlegroups.com>
> <mailto:zaproxy-users%252Buns...@googlegroups.com
> <mailto:zaproxy-users%25252Bun...@googlegroups.com>>>
>

> <mailto:zaproxy-users%2Bunsu...@googlegroups.com
> <mailto:zaproxy-users%252Buns...@googlegroups.com>
> <mailto:zaproxy-users%252Buns...@googlegroups.com
> <mailto:zaproxy-users%25252Bun...@googlegroups.com>>
>

> <mailto:zaproxy-users%252Buns...@googlegroups.com
> <mailto:zaproxy-users%25252Bun...@googlegroups.com>
>
> <mailto:zaproxy-users%25252Bun...@googlegroups.com
> <mailto:zaproxy-users%2525252Bu...@googlegroups.com>>>>.