ZAProxy fuzzer custom payloads

[Fahad]

How can I set custom payloads in fuzzer in spider and active scan? Aswell as custom credentials for testing purposes.

I have to create a test scan on an enviroment where It can't send any "zaproxy" string because the scanner can be detected easily.

[Simon Bennetts]

I think theres some confusion here.

The ZAP Fuzzer is a manual tool which is separate from the 2 spiders and the active scanner.

For adding your own payloads to the Active Scanner see https://www.zaproxy.org/faq/how-can-i-add-my-own-payloads-to-active-scan-rules/

For authentication see https://www.zaproxy.org/docs/authentication/

ZAP is designed to be used with the permission of the target owner.

We recommend asking the target owner to remove firewalls or provide a test environment without firewalls and the like.

If thats not possible then you could implement an httpsender script which replaces any strings that you think could cause problems.

I would also change the default ZAP user agent string :)

Cheers,

Simon

[Fahad]

Thank you for your response! Yes there might be some confusion. Yes I do have permission because we are testing our own technology for SOC. My task is to evade it. Sort of like wargames. The problem I am facing is that ZAProxy sends alot of "zaproxy" strings that they easily detect. Thank you for sharing those links I will test and let you know.

[Simon Bennetts]

Assuming you can do manual testing then I think it would definitely be worth playing with the Fuzzer: https://www.zaproxy.org/docs/desktop/addons/fuzzer/

This gives you complete control of exactly what attacks ZAP uses and where it uses them.

Good luck and looking forward to hear how you get on!

Simon