Need help on analyzing the Fuzz results

[Jack.Sekar]

Hi Group, I am new to Security testing and ZAP; for one of my task I am using this tool. Watched few video files on youtube and went through zap user group and found some details about what is fuzzing and fuzz results. One thing what I do not understand is, when I got the fuzz results a. Reflected and b. Successful

1. Should I need to manually verify the Reflected payload value against the text field (where i performed the fuzz) ?
(OR)
2. Should I need to verify successful payloads ?

From youtube: In some of the video files i see, after fuzzing user checks for only the reflected items and verify those agianst the text field.

Also, I've seen from the below post, saying Reflected does not mean that there is a vulnerability present. The user then has to determine manually if there is a vulnerability.
https://groups.google.com/forum/#!topic/zaproxy-users/lDOLVDAjqY8
 - How to determine.

Pls show me some light.. Thanks in advance..
Jack Sekar

[Simon Bennetts]

Hi Jack,

The active and passive scanners test for potential vulnerabilities where the code can determine if the issue is likely to be present.

Fuzzing is a manual technique.
You are using ZAP to send a set of payloads that you have specified, based on the type of vulnerability you are looking for.
ZAP provides info such as whether the payload was present in the response and the option to search for regexes.
However only you can determine if the attack you specified found the vulnerability you were looking for.
You can use fuzzing to detect all sorts of issues: XSS, SQL inject, access control vulnerabilities.
ZAP has no way of knowing what you are looking for or how to tell if it happened.

Does that make any more sense?

Simon

[Jack.Sekar]

Thank you Simon for clarifying my doubt :)