Fuzzing

sania kanwal

unread,

Jul 1, 2022, 12:46:44 AM7/1/22

to OWASP ZAP User Group

when i perform fuzzing no vulnerability in alert tab....what is the reseon?

thc...@gmail.com

unread,

Jul 1, 2022, 1:04:00 AM7/1/22

to zaprox...@googlegroups.com

Hi.

The fuzzer is a manual tool, it will not raise alerts automatically.
https://www.zaproxy.org/docs/desktop/addons/fuzzer/

The active scanner will do that though:
https://www.zaproxy.org/docs/desktop/start/features/ascan/

Best regards.

sania kanwal

unread,

Jul 1, 2022, 1:31:59 AM7/1/22

to OWASP ZAP User Group

First, I fuzz the application and then perform an active scan?

Simon Bennetts

unread,

Jul 1, 2022, 2:37:28 AM7/1/22

to OWASP ZAP User Group

If you dont know when to use the fuzzer then you shouldnt be using it :)

If you are new to ZAP then dont worry about it for now, it is unlikely to help you at this stage.

Cheers,

Simon

sania kanwal

unread,

Jul 1, 2022, 7:16:36 AM7/1/22

to OWASP ZAP User Group

I really need your help I want to generate data through fuzzing. I have applied zap proxy I fuzz the application. but no idea what I do next . i send you a screenshort.

sania kanwal

unread,

Jul 1, 2022, 7:18:32 AM7/1/22

to OWASP ZAP User Group

I really need your help I want to generate data through fuzzing. I have applied zap proxy I fuzz the application. but no idea what I do next. I send you a screenshot.

fuzz.png

sania kanwal

unread,

Jul 1, 2022, 7:21:51 AM7/1/22

to OWASP ZAP User Group

mutillidae application has LDAP injection vulnerability but when I perform active scan zap not showing result in alert tab.

Simon Bennetts

unread,

Jul 1, 2022, 8:42:28 AM7/1/22

to OWASP ZAP User Group

Ah, thats what we needed to know :)

Are you sure you are fuzzing the right request and the right parameter value?

Do you know what to look for if an LDAP injection succeeds?

Cheers,

Simon

sania kanwal

unread,

Jul 1, 2022, 12:26:28 PM7/1/22

to OWASP ZAP User Group

can you help what should it show if LDAP injection succeeds?

for fuzzing according to me I follow the right path ... zap proxy apply then I intercept the page enter something in the text field of the application then at zap I click on the site tree specific URL that I want to fuzz click the attack tab then fuzz select specific point like password add payload from fuzzer file then it starts fuzzing..results here

fuzz.png

Simon Bennetts

unread,

Jul 4, 2022, 3:55:27 AM7/4/22

to OWASP ZAP User Group

If we knew how to tell an app was vulnerable to a specific vulnerability then we would implement that check in the relevant rule :)

So Fuzzing the the technique to use when the ZAP rules dont find something, but what to detect is the thing you have to work out.

Which payloads are you using?

Its possible that the ones you are using are not triggering the vulnerability.

Cheers,

Simon

sania kanwal

unread,

Jul 5, 2022, 1:44:00 AM7/5/22

to OWASP ZAP User Group

I have sent you a word file with a screen short that help how I am working I want to detect LDAP injection and Buffer Overflow but not getting result plz view my document.

App Demo.docx

Simon Bennetts

unread,

Jul 5, 2022, 4:06:24 AM7/5/22

to OWASP ZAP User Group

I'm afraid I'm not going to open a random word file ;)

I'm also not in a position where I'm able to find the time to look into this right now.

However this is an excellent learning opportunity for you!

If ZAP just detected it then you probably wouldnt learn anything.

However if you can work out how to detect it yourself then you will learn a LOT more.

You then might be able to help us enhance ZAP to detect it automatically in the future.