ZAP Fuzzer - Delay not working properly when set to >1000

[KK]

Hello and a good day,

I experience an issue regarding the "delay when fuzzing". As soon as it is set to more than 1000ms (or even 1000ms) it does not seem to recognize the delay.

It does not matter, if it set via GUI options menu or API script.

(Using this relatively  new feature: https://github.com/zaproxy/zap-extensions/pull/3140 )

Is there any additional configuration neccesary to have ZAP use a delay of e.g. 3000ms between each scan? 

I just want to increase time between each request sent.

Thank you in advance and regards
Karl

[Simon Bennetts]

Hi Karl,

I've just tried this and you are right :/

I think the original fix didnt go far enough - the main Options / Fuzzer panel does now support > 1000ms but the Options panel in the Fuzzer dialog is still capped at 1000 ms.

https://github.com/zaproxy/zap-extensions/blob/main/addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/impl/FuzzerOptionsPanel.java#L104-L108

I suspect that this is capping the limit at 1000ms but havnt actually checked that.

Cheers,

Simon

[KK]

Hi Simon,

thanks a lot for that speedy response - I guess, there is not really an easy workaround or hot fix I could use / test, right?

Sorry but I kind of have only a basic clue of programming, github etc. :)

If I understand correctly, the linked file is compiled and can not be altered with on my local machine.

Is this sth an issue should be opened?

Regards

Karl

[thc...@gmail.com]

Hi.

You can use a HTTP Sender script to delay the requests.

The original issue has been reopened.

Best regards.

[KK]

Hi!

Thanks a lot, way easier than I thought...

[kingthorin+owaspzap]

Fix in-bound: https://github.com/zaproxy/zap-extensions/pull/3246

[kingthorin+owaspzap]

An updated version of the add-on has been released with a fix for this issue.