Different modes for zap's fuzzer

13 views
Skip to first unread message

Prabin B.c

unread,
Nov 4, 2024, 6:56:30 AMNov 4
to ZAP User Group
Hi , I'm using zap proxy but i am not able to brute force like in burpsuite as there is no modes for brute forcing   here in zap proxy . I mean , there is no options for pitchfork, clusterbomb and such attacks. I don't find any options for them . Although, it works perfectly fine and it is very fast but the thing is i can't have my  job done.  I am currently solving the portswigger lab no. 4 where the ip address is blocked if 4 invalid username or password is sent over it also for solving the lab one must use pitchfork mode of bruteforcing . But in zap proxy , when i brute-force the X-Forwarded-Option header with the value of 1-100 and then, the username value with the provided payload by portswigger acedemy lab . And start the fuzzer  , then it inputs the first  payload combined with all the others payloads of the second payload wordlist and then, it start the second payload form the first payload wordlists . I can't acheive the behaviour of if as the first payload from the first payload worlists combined with first payload of the second payload wordlist , second payload of the first payload wordlist  and the second payload of the second payload wordlist combined , likewise the third payload of the first payload wordlist combined with the third payload of the second payload wordlist and so on. Also , there seems limitation on the zap proxy , if i want to same payload on the multiple parameter or multiple field , this behaviour  cannot be acheived by zap as per me . 

If you are able to make it possible with zap ? Please help me   !  I need your techniques to solve the lab here. 

Simon Bennetts

unread,
Nov 5, 2024, 6:50:36 AMNov 5
to ZAP User Group
We have an open issue for more fuzzing strategies: https://github.com/zaproxy/zaproxy/issues/2967
Give it a thumbs up in the first comment to "vote" for it :)

Cheers,

Simon
Reply all
Reply to author
Forward
0 new messages