fuzzing report

[sania kanwal]

plz tell me how generate zap fuzzing report ..in which there should be payload and vulnerabilty is present in csv file

[thc...@gmail.com]

Hi.

The fuzzer does not automatically report vulnerabilities it needs manual
assessment.

Fuzzer docs:
https://www.zaproxy.org/docs/desktop/addons/fuzzer/

Best regards.

[sania kanwal]

thanks for your reply...

Actually, i want to create a dataset in which there should be a payload and corresponding vulnerability. I fuzz application with zap and payload from file fuzzer.   i exported the fuzz data there is a payload but no info about vulnerability is present or not. i send you fuzz data.

[Simon Bennetts]

Fuzzing is a manual process.

It will not tell you if a vulnerability is present.

It will give you a load of data which you can hopefully use to tell if a vulnerability is present.

The data you have sent is unlikely to be enough to tell if there is a vulnerability present, to do that someone would need access to the target app and understand how it works.

Cheers,

Simon

[sania kanwal]

I take Mutillidae vulnerable application then I fuzz this application and then  I scan this application from scanning I get vulnerability. is this correct procedure to create a dataset

[Simon Bennetts]

Well, it all depends on what you are trying to achieve, but that doesnt look like a normal approach to me.

If you are new to ZAP then have a look at the Getting Started Guide: https://www.zaproxy.org/getting-started/

You will see that this does not cover fuzzing - thats a manual (and advanced) technique.

The more usual approach is to explore the app (manually, using one of the spiders and/or by importing API definitions) and then using the Active Scanner.

Cheers,

Simon

[sania kanwal]

thank u soo much for your reply