Using ZAP to test Broken Authentication
651 views
Skip to first unread message
MC
Feb 28, 2013, 7:06:41 PM2/28/13
to zaprox...@googlegroups.com
If I am testing an app for Broken Authentication, is there a way I can use ZAP for this? For example if I had a Session ID or User ID for a known user , is there a way to have ZAP automatically brute force other ID numbers in that sequence etc to the app?
Simon Bennetts
Mar 3, 2013, 8:24:12 AM3/3/13
to zaprox...@googlegroups.com
Hi MC,
There are (possibly) 2 different aspects to this.
One is brute forcing usernames and passwords.
For this you can use the fuzzer:
Cheers,
Simon
There are (possibly) 2 different aspects to this.
One is brute forcing usernames and passwords.
For this you can use the fuzzer:
- Download a suitable list of usernames / passwords from the internet
- Add the file(s) to ZAP as a custom fuzz file
- Try to login to the app while proxying through ZAP (this can fail)
- Highlight either the username or password in the request
- Right click and select "Fuzz..."
- Select the file you added before
- Fuzz the string, and use the 'Search' tab to find any login requests that succeed
The other aspect is brute forcing the session IDs.
You can use the fuzzer on the session token again, although you may need to generate a file with a set of suitable tokens.
Cheers,
Simon
MC
Mar 3, 2013, 10:16:14 PM3/3/13
to zaprox...@googlegroups.com
On Sunday, March 3, 2013 7:24:12 AM UTC-6, Simon Bennetts wrote:
> Hi MC,
>
> There are (possibly) 2 differenthanj you Simonpects to this.
> Hi MC,
>
>
> One is brute forcing usernames and passwords.
> For this you can use the fuzzer:
> Download a suitable list of usernames / passwords from the internetAdd the file(s) to ZAP as a custom fuzz file
> One is brute forcing usernames and passwords.
> For this you can use the fuzzer:
> Try to login to the app while proxying through ZAP (this can fail)Highlight either the username or password in the requestRight click and select "Fuzz..."Select the file you added beforeFuzz the string, and use the 'Search' tab to find any login requests that succeed
> The other aspect is brute forcing the session IDs.
> You can use the fuzzer on the session token again, although you may need to generate a file with a set of suitable tokens.
> Or if you can generate valid sessions you can use the 'tokengen' add-on (which you'll need to install) - this allows you to generate a large number of tokens and then does some basic randomness analysis on them.
>
> Cheers,
>
> Simon
>
> On Friday, 1 March 2013 00:06:41 UTC, MC wrote:If I am testing an app for Broken Authentication, is there a way I can use ZAP for this? For example if I had a Session ID or User ID for a known user , is there a way to have ZAP automatically brute force other ID numbers in that sequence etc to the app?
Thank you!> You can use the fuzzer on the session token again, although you may need to generate a file with a set of suitable tokens.
> Or if you can generate valid sessions you can use the 'tokengen' add-on (which you'll need to install) - this allows you to generate a large number of tokens and then does some basic randomness analysis on them.
>
> Cheers,
>
> Simon
>
> On Friday, 1 March 2013 00:06:41 UTC, MC wrote:If I am testing an app for Broken Authentication, is there a way I can use ZAP for this? For example if I had a Session ID or User ID for a known user , is there a way to have ZAP automatically brute force other ID numbers in that sequence etc to the app?
Reply all
Reply to author
Forward
0 new messages