How to verify the FUZZ results

[Mohan PenTest]

Hello Team,

I am new to the ZAP tool and learning it.

Can anyone suggest to me that How to verify the Fuzz scan results?

Currently, I am using the Fuzz technique to verify the input validation logic on the server-side.

I am posting random and malicious data on the input fields of the request.

Example -  One input field data type is String.

Following are the different payloads I am posting in this string type input field using the FUZZ.

1) Bulk string

2) Empty/Null

3) Integer/boolen input

4) SQL query

5) XSS text

Question 1: For all these payloads ZAP has made 55 requests to the server.  Do I need to verify all the 55 requests and responses to see is any vulnerability found or any smart way we can see the vulnerable Fuzz results?

Question 2 : During the Fuzz logic run if any vulnerability found is that will report in the Alerts tab ?

I appreciate your responses and suggestions.

Best Regards/Mohan

[Simon Bennetts]

Welcome Mohan :)

Fuzzing is a manual process. ZAP doesnt 'know' what you are trying to do or what a potential vulnerability would look like, so it will not raise alerts for you.

If we know what to look for then we create active scan rules for those things :)

So you need to know the sort of things you are looking for.

To verify Fuzz results you can either use the Search tab and search for regexes or you can use an HTTP Message Processor: https://www.zaproxy.org/docs/desktop/addons/fuzzer/httpmessageprocessors/

You can write a new Fuzzer HTTP Processor script if the built in ones dont do what you need: https://github.com/zaproxy/community-scripts/tree/master/httpfuzzerprocessor

Cheers,

Simon