Fuzzing

72 views
Skip to first unread message

sania kanwal

unread,
Jul 1, 2022, 12:46:44 AMJul 1
to OWASP ZAP User Group
when i perform fuzzing no vulnerability in alert tab....what is the reseon?

thc...@gmail.com

unread,
Jul 1, 2022, 1:04:00 AMJul 1
to zaprox...@googlegroups.com
Hi.

The fuzzer is a manual tool, it will not raise alerts automatically.
https://www.zaproxy.org/docs/desktop/addons/fuzzer/

The active scanner will do that though:
https://www.zaproxy.org/docs/desktop/start/features/ascan/

Best regards.

sania kanwal

unread,
Jul 1, 2022, 1:31:59 AMJul 1
to OWASP ZAP User Group
First, I fuzz the application and then perform an active scan?

Simon Bennetts

unread,
Jul 1, 2022, 2:37:28 AMJul 1
to OWASP ZAP User Group
If you dont know when to use the fuzzer then you shouldnt be using it :)
If you are new to ZAP then dont worry about it for now, it is unlikely to help you at this stage.

Cheers,

Simon

sania kanwal

unread,
Jul 1, 2022, 7:16:36 AMJul 1
to OWASP ZAP User Group

I really need your help I want to generate data through fuzzing. I have applied zap proxy I fuzz the application. but no idea what I do next . i send you a screenshort.

sania kanwal

unread,
Jul 1, 2022, 7:18:32 AMJul 1
to OWASP ZAP User Group

I really need your help I want to generate data through fuzzing. I have applied zap proxy I fuzz the application. but no idea what I do next. I send you a screenshot.
fuzz.png

sania kanwal

unread,
Jul 1, 2022, 7:21:51 AMJul 1
to OWASP ZAP User Group
mutillidae application has LDAP injection vulnerability but when I perform active scan zap not showing result in alert tab.

Simon Bennetts

unread,
Jul 1, 2022, 8:42:28 AMJul 1
to OWASP ZAP User Group
Ah, thats what we needed to know :)

Are you sure you are fuzzing the right request and the right parameter value?
Do you know what to look for if an LDAP injection succeeds?

Cheers,

Simon

sania kanwal

unread,
Jul 1, 2022, 12:26:28 PMJul 1
to OWASP ZAP User Group
can you help what should it show if LDAP injection succeeds?
for fuzzing according to me I follow the right path ... zap proxy apply then I  intercept the page enter something in the text field of the application then at zap I click on the site tree specific URL that I want to fuzz click the attack tab then fuzz select specific point like password add payload from fuzzer file then it starts fuzzing..results here

fuzz.png

Simon Bennetts

unread,
Jul 4, 2022, 3:55:27 AMJul 4
to OWASP ZAP User Group
If we knew how to tell an app was vulnerable to a specific vulnerability then we would implement that check in the relevant rule :)
So Fuzzing the the technique to use when the ZAP rules dont find something, but what to detect is the thing you have to work out.
Which payloads are you using?
Its possible that the ones you are using are not triggering the vulnerability.

Cheers,

Simon

sania kanwal

unread,
Jul 5, 2022, 1:44:00 AMJul 5
to OWASP ZAP User Group
I have sent you a word file with a screen short that help how I am working I want to detect LDAP injection and Buffer Overflow but not getting result plz view my document.
App Demo.docx

Simon Bennetts

unread,
Jul 5, 2022, 4:06:24 AMJul 5
to OWASP ZAP User Group
I'm afraid I'm not going to open a random word file ;)
I'm also not in a position where I'm able to find the time to look into this right now.
However this is an excellent learning opportunity for you!
If ZAP just detected it then you probably wouldnt learn anything.
However if you can work out how to detect it yourself then you will learn a LOT more.
You then might be able to help us enhance ZAP to detect it automatically in the future.

Cheers,

Simon
Reply all
Reply to author
Forward
0 new messages