Is it possible to add payload in ZAP?
1,046 views
Skip to first unread message
Najam
Sep 14, 2016, 8:43:21 AM9/14/16
to OWASP ZAP User Group
Hi Simon and ZAP team,
This question may be answered but I could not find an answer.
Could I add payloads in general and / or specific to a particular vulnerability in ZAP?
If yes, please guide to procedure URL.
Thanks,
Simon Bennetts
Sep 14, 2016, 9:00:59 AM9/14/16
to OWASP ZAP User Group
Can you give us more information about what you are trying to do?
If you want to upload payloads via a file upload page then you can just use your browser for that.
If you want to write your own active scan rules then have a look at http://zaproxy.blogspot.fr/2014/04/hacking-zap-4-active-scan-rules.html
Note that ZAP also supports scripting, so you can download some examples from the community-scripts repo and then change them to do whatever you want.
Cheers,
Simon
If you want to upload payloads via a file upload page then you can just use your browser for that.
If you want to write your own active scan rules then have a look at http://zaproxy.blogspot.fr/2014/04/hacking-zap-4-active-scan-rules.html
Note that ZAP also supports scripting, so you can download some examples from the community-scripts repo and then change them to do whatever you want.
Cheers,
Simon
Najam
Sep 14, 2016, 4:04:59 PM9/14/16
to OWASP ZAP User Group
Thanks Simon,
I should have stated more information before :-(
I want to add the following XSS payload to ZAP:
http://www.smeegesec.com/2012/06/collection-of-cross-site-scripting-xss.html
This can be used in Burp to the Intruder. The question is if adding payload to ZAP will allow better detection of XSS.
If there is a better method of achieving better detection by ZAP, kindly let me know.
Cheers
kingthorin+owaspzap
Sep 14, 2016, 4:41:28 PM9/14/16
to OWASP ZAP User Group
So you have a few options.
1) You could write your own active scan rule to detect it based on whatever payload(s) you come up with.
2) You could use the fuzzer with whatever payload(s) you come up with. (This would be similar to using Burp Intruder)
Simon Bennetts
Sep 15, 2016, 6:52:34 AM9/15/16
to OWASP ZAP User Group
The ZAP reflected XSS scan rule doesnt work by just throwing any old attacks at the target.
If it did that then we'd end up with lots of false positives and false negatives.
How would we know if any of the attacks work?
Different attacks will work or fail in different places in the same HTML file.
This is why we dont let you just add any attack you feel like.
The way that the current rule works is explained here: https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules#cross-site-scripting-reflected
I'm certainly not suggesting the current rule is perfect (we know its not) so suggestions (and PRs;) welcome.
For those that are interested the code is here: TestCrossSiteScriptV2.java
The DOM XSS rule works differently - for that we could allow user defined attacks as we use a real browser and check for alerts being raised.
The attacks we use for that are defined here: TestDomXSS.java
Note that this takes _significantly_ longer to run than the Reflected XSS rule, so throwing a load more attacks in there could be counterproductive.
Cheers,
Simon
If it did that then we'd end up with lots of false positives and false negatives.
How would we know if any of the attacks work?
Different attacks will work or fail in different places in the same HTML file.
This is why we dont let you just add any attack you feel like.
The way that the current rule works is explained here: https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules#cross-site-scripting-reflected
I'm certainly not suggesting the current rule is perfect (we know its not) so suggestions (and PRs;) welcome.
For those that are interested the code is here: TestCrossSiteScriptV2.java
The DOM XSS rule works differently - for that we could allow user defined attacks as we use a real browser and check for alerts being raised.
The attacks we use for that are defined here: TestDomXSS.java
Note that this takes _significantly_ longer to run than the Reflected XSS rule, so throwing a load more attacks in there could be counterproductive.
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages