ZAP parameter access from response and pre/post request during fuzzing
813 views
Skip to first unread message
ph
Dec 15, 2014, 4:30:44 AM12/15/14
to zaprox...@googlegroups.com
Hi,
We have fairly complex system. I want to achieve following things.
For the fuzzing on the POST request, I have to first perform GET request and need to get some parameters value from the response and inject into post request to have successful transaction.
1) How could we achieve this via ZAP to launch GET request before POST fuzzing request (like example pre-macro/post-macro)?
2) How could we get the specific parameters from the GET response and inject value into POST request?
We tried several times but without success. It will be great if you have such scenarios and example.
Thx!
Kr,
Ph
We have fairly complex system. I want to achieve following things.
For the fuzzing on the POST request, I have to first perform GET request and need to get some parameters value from the response and inject into post request to have successful transaction.
1) How could we achieve this via ZAP to launch GET request before POST fuzzing request (like example pre-macro/post-macro)?
2) How could we get the specific parameters from the GET response and inject value into POST request?
We tried several times but without success. It will be great if you have such scenarios and example.
Thx!
Kr,
Ph
Simon Bennetts
Dec 15, 2014, 7:08:34 AM12/15/14
to zaprox...@googlegroups.com
This is exactly the sort of thing that Zest was created for :)
And I know I havnt documented it enough, my bad :(
But there is a video clip linked off that page that will hopefully be of some use.
So, quick summary: Zest is essentially ZAPs macro language, but much more powerful.
Some pointers to get you started..
And I know I havnt documented it enough, my bad :(
But there is a video clip linked off that page that will hopefully be of some use.
So, quick summary: Zest is essentially ZAPs macro language, but much more powerful.
Some pointers to get you started..
- Perform the requests you want to make via your browser proxying them through ZAP
- Locate and select them in the History tab, right click and "Add to Zest Script -> New Zest Script..."
- Give it a title and click Save
- Anti CSRF tokens _should_ be extracted and used automatically
- For other form based tokens you need right click on the request in the script and select "Add Zest Assignment -> Assign variable to a form field..."
- Then give it a suitable name and select the form / field you want
- To use variable in a request double click the request to edit it, put the cursor where you want the value, right click and select "Zest paste variable -> <variable name>"
- To fuzz a set of requests highlight them all, right click and select "Surround with -> Loop File" (assuming the fuzzing vectors are in a file) then select the file, give a loop variable a suitable name and use it as above
Zest is really powerful and the best thing to do is play around with it.
And ask here if and when you have any questions or problems.
Cheers,
Simon
ph
Dec 15, 2014, 8:40:45 AM12/15/14
to zaprox...@googlegroups.com
Hi Simon,
Thx a lot for your prompt response.
We will follow your suggestion and keep you inform.
Kr,
Ph
Thx a lot for your prompt response.
We will follow your suggestion and keep you inform.
Kr,
Ph
ph
Dec 18, 2014, 5:34:48 AM12/18/14
to zaprox...@googlegroups.com
Hi Simon,
It works well as needed and zest is easy and awesome ;)
Kr,
Ph
Reply all
Reply to author
Forward
0 new messages