Active Scan Custom Vectors Replacing the Wrong Characters

144 views
Skip to first unread message

David Sims

unread,
Oct 13, 2018, 12:27:57 PM10/13/18
to OWASP ZAP User Group
Hi,

Has anybody used the Custom Vectors in Active Scan?

The characters I highlight and add to the Vectors list do not get replaced by the attack input parameters. The attack input parameters are replaced elsewhere in the request.

Thanks for any help on this matter.

Dave

David Sims

unread,
Oct 13, 2018, 3:58:37 PM10/13/18
to OWASP ZAP User Group
I have managed to accomplish the same functionality using a different technique. Instead of using Custom Vectors I have excluded all parameters not needed in the Input Vectors tab of the Active Scan dialog. Now the active scan will only include parameters I want to attack.

hauschu...@gmail.com

unread,
Oct 15, 2018, 2:19:05 AM10/15/18
to OWASP ZAP User Group
Good to know!

Did you let the first scan with Custom Vecotrs go to completion? Ie, did it use payloads on your custom vectors after exhausting all of the normal ones? Or did it not work at all?

thc...@gmail.com

unread,
Oct 15, 2018, 4:15:45 AM10/15/18
to zaprox...@googlegroups.com
In the Custom Vectors tab there's an option ("Disable non custom input
vectors") to disable all other Input Vectors if you just want to use the
custom ones.

Best regards.

David Sims

unread,
Oct 15, 2018, 8:48:12 AM10/15/18
to OWASP ZAP User Group
Hi,

This problem occurs when I check "Disable non custom input vectors". The character index used to replace the characters does not seem to be calculated correctly and I can figure out the offset. If it replaces 20 characters to the left of characters I highlighted then I can highlight 20 characters to the right and get the desired result.

I let the first scan go to completion and it did use my payloads, just replaced the wrong characters.

Kind Regards,
Dave


On Saturday, October 13, 2018 at 12:27:57 PM UTC-4, David Sims wrote:

kingthorin+owaspzap

unread,
Oct 15, 2018, 12:08:46 PM10/15/18
to OWASP ZAP User Group
Could you provide some specifics:

  • What type of request is it? (method/verb?)
  • Are you defining your points in the header or body or both?
  • If in the body is the request XML or JSON? Is it a multi-part form post?
  • Is it off if you only specify a single Custom Vector?

David Sims

unread,
Oct 15, 2018, 3:53:21 PM10/15/18
to OWASP ZAP User Group
Hi,

I tried out my test on www.webscantest.com to make sure it was not specific to the website I was pen testing. I have attached screenshots with steps used to reproduce.

It is a POST request with attack points in the body of a multi-part form.
I tried it with non custom input vectors enabled and disable and issue occurs with both settings.

Let me know if you need any more info.

Thanks,
Dave



On Saturday, October 13, 2018 at 12:27:57 PM UTC-4, David Sims wrote:
Custom Input Vector Behavior.pdf

thc...@gmail.com

unread,
Oct 16, 2018, 11:20:44 AM10/16/18
to zaprox...@googlegroups.com
Thanks! An issue has been raised:
https://github.com/zaproxy/zaproxy/issues/5060

Best regards.

David Sims

unread,
Oct 16, 2018, 11:13:45 PM10/16/18
to OWASP ZAP User Group
Many thanks!

This will be a great feature.


On Saturday, October 13, 2018 at 12:27:57 PM UTC-4, David Sims wrote:
Reply all
Reply to author
Forward
0 new messages