Problem Fuzzing Websocket Requests with OWASP ZAP 2.4.2

[Garth Boyd]

My understanding from the OWASP ZAP 2.4.2 help file is that I can use the fuzzer in OWASP ZAP to fuzz elements of a websocket request.

However when I select a portion of the request in the request window, and right click there is no fuzz menu. There is for normal HTTP requests.

In addition, when I create a new fuzzer from the fuzzer tab, the Message Type field only has HTTP.

Have I misunderstood ZAP's capabilities or have I missed some configuration item?

Thanks in advance

[Simon Bennetts]

Unfortunately the advanced fuzzing changes introduced in 2.4.0 were not backwards compatible, and so we 'temporarily' dropped support for fuzzing websockets and client side messages :(
We always planned to support these soon, but other things got in the way.
The good news is that those changes are well underway and we plan to include them in the forthcoming 2.4.3 release which will be out very soon.

Cheers,

Simon

[Garth Boyd]

In the meantime which older version should I try?

[Simon Bennetts]

2.3.1 is the one before that.
We used to make all of our old versions available for download via sourceforge, but we stopped using them for obvious reasons.
If you cant find what looks like a safe version then ping me and I'll make one available for you.

Cheers,

Simon

[Garth Boyd]

Ya. I see that finding an alternative is dodgy at best. I will take you up on your gracious offer until 2.4.3 arrives.

Thanks again
Garth

[Simon Bennetts]

For info I've emailed Garth a link to a temporary download for 2.3.1 ;)

[garthoid]

snagged.

Thanks!

G

--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/_AcFcv4IQ90/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.