In Fuzzer what does Successfull mean
149 views
Skip to first unread message
Nipun Kumar
Mar 16, 2015, 6:02:03 AM3/16/15
to zaprox...@googlegroups.com
If I run a fuzzer for example for XSS. I receive status as Successful. What does it mean. Does it mean a XSS threat of it says this is safe. what could be other status
Simon Bennetts
Mar 16, 2015, 6:44:48 AM3/16/15
to zaprox...@googlegroups.com
It just means that the request was successful, ie a 200 response.
Originally these were just left blank - I think we should go back to that as I agree its confusing.
Cheers,
Simon
Originally these were just left blank - I think we should go back to that as I agree its confusing.
Cheers,
Simon
Nipun Kumar
Mar 16, 2015, 6:50:28 AM3/16/15
to zaprox...@googlegroups.com
It means this is a safe hit. Right?
and if any request identifies a problem that what is status value
thc...@gmail.com
Mar 16, 2015, 7:13:44 AM3/16/15
to zaprox...@googlegroups.com
Yeah, it seems better to go that way.
Best regards.
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.
Best regards.
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.
thc...@gmail.com
Mar 16, 2015, 7:14:07 AM3/16/15
to zaprox...@googlegroups.com
No, it just means that the request was sent successfully, i.e. no
network errors occurred or the fuzzed message was not malformed.
It's up to the user to assess if there's an issue/vulnerability or not.
For other possible states take a look at the help page [1].
Note there's another "state", called "Anti CSRF Token Request" which
indicates that the message sent was used to refresh the anti-CSRF token.
[1]
https://code.google.com/p/zaproxy/wiki/HelpUiTabsFuzz#HTTP_Fuzzer_results
Best regards.
network errors occurred or the fuzzed message was not malformed.
It's up to the user to assess if there's an issue/vulnerability or not.
For other possible states take a look at the help page [1].
Note there's another "state", called "Anti CSRF Token Request" which
indicates that the message sent was used to refresh the anti-CSRF token.
[1]
https://code.google.com/p/zaproxy/wiki/HelpUiTabsFuzz#HTTP_Fuzzer_results
Best regards.
Simon Bennetts
Mar 16, 2015, 7:22:55 AM3/16/15
to zaprox...@googlegroups.com
Yeah, the significance of the results all depends on what you're testing and how you're testing it.
So if you are testing for reflected XSS's then yes, you'd probably be most interested in the payloads that are reflected.
But say you've trying to find out which characters are accepted in a field to narrow down your attacks.
In this case you might fuzz with all of the characters in a character set, and then you'd be interested in the ones that are _not_ reflected so you can filter out attacks that use them.
Or if you're testing for blind SQL injection you might expect a 200 response for everything and just be concerned with the response times.
Does that make sense?
Simon
So if you are testing for reflected XSS's then yes, you'd probably be most interested in the payloads that are reflected.
But say you've trying to find out which characters are accepted in a field to narrow down your attacks.
In this case you might fuzz with all of the characters in a character set, and then you'd be interested in the ones that are _not_ reflected so you can filter out attacks that use them.
Or if you're testing for blind SQL injection you might expect a 200 response for everything and just be concerned with the response times.
Does that make sense?
Simon
On Monday, 16 March 2015 11:14:07 UTC, thc202 wrote:
No, it just means that the request was sent successfully, i.e. no
network errors occurred or the fuzzed message was not malformed.
It's up to the user to assess if there's an issue/vulnerability or not.
For other possible states take a look at the help page [1].
Note there's another "state", called "Anti CSRF Token Request" which
indicates that the message sent was used to refresh the anti-CSRF token.
[1]
https://code.google.com/p/zaproxy/wiki/HelpUiTabsFuzz#HTTP_Fuzzer_results
Best regards.
On 16/03/15 10:50, Nipun Kumar wrote:
> It means this is a safe hit. Right?
> and if any request identifies a problem that what is status value
>
> On Monday, 16 March 2015 16:14:48 UTC+5:30, Simon Bennetts wrote:
>
> It just means that the request was successful, ie a 200 response.
> Originally these were just left blank - I think we should go back to
> that as I agree its confusing.
>
> Cheers,
>
> Simon
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-users+unsubscribe@googlegroups.com
> <mailto:zaproxy-users+unsub...@googlegroups.com>.
kingthorin+owaspzap
Mar 16, 2015, 8:39:43 AM3/16/15
to zaprox...@googlegroups.com
Instead of some interpretation of the response code (which user's may assume is an interpretation of fuzz success or failure) perhaps we should literally use the response code and short text? i.e.: "200 - Ok" [Note I don't have the UI in front of me....perhaps the column is just superfluous.]
Simon Bennetts
Mar 16, 2015, 8:43:44 AM3/16/15
to zaprox...@googlegroups.com
The reason this column was added was just to include the word "Reflected" as people were not sure what the icon we used to indicate this meant.
So I think we need it just for that, as the fact that the payload is reflected in the response is a key piece of information that you cant see from any of the other columns.
I'm happy for it to be used for other things as long as they are helpful.
In particular it could be a good field for scripts which analyse the fuzzing results to use.
Simon
So I think we need it just for that, as the fact that the payload is reflected in the response is a key piece of information that you cant see from any of the other columns.
I'm happy for it to be used for other things as long as they are helpful.
In particular it could be a good field for scripts which analyse the fuzzing results to use.
Simon
kingthorin+owaspzap
Mar 16, 2015, 10:46:00 AM3/16/15
to zaprox...@googlegroups.com
Ok now I see where you're coming from.
I think it makes sense to keep it to note "Reflected" situations, however we should probably leave it as blank for others as "Success" seems to be leading to greater misinterpretation than benefit.
I think it makes sense to keep it to note "Reflected" situations, however we should probably leave it as blank for others as "Success" seems to be leading to greater misinterpretation than benefit.
Reply all
Reply to author
Forward
0 new messages