struggling with Brute force sorry!
25 views
Skip to first unread message
Gary Stephens
Mar 9, 2026, 2:19:51 PMMar 9
to ZAP User Group
So as the title says.
I tried authenticating a known user and Pw to test my setup, I then setup a test for an unknown BF attack.
What I am seeing is when I proxy the traffic on my Mac, running chrome, the username is in clear text but the pw is encrypted. as in
<SessionLogin><userName>bob</userName><password>f682091852f6aad44f2d624256543e20ca1d7ae1f4fa40698b7cdd1b954aa8df</password><sessionID>114944cacb1d5e9a3c11</sessionID></SessionLogin>=sanitizedtoken0&
So if I setup a Fuzz, it fails unless I use the hashed value of the pw as above. Clearly this is not going to work so question, how do I get the Fuzzer to send the PW from the file where it's in plain text.
apologies for being a numpty but I can't find the answer anywhere.....
Saul Javier
Mar 10, 2026, 9:03:26 PMMar 10
to ZAP User Group
If you don't want to precalculate the hashes for the bruteforce attacks you can write a Payload Generator script, with that you can load plaintext passwords and make the script to calculate the hash and replace it as the payload, an example can be found on the ShaSigned lab on the next post, that example is a bit different but since your scenario is simpler there shouldn't be any problem.
https://www.zaproxy.org/blog/2025-10-15-solving-caido-labs/#shasigned
https://www.zaproxy.org/blog/2025-10-15-solving-caido-labs/#shasigned
Gary Stephens
Mar 11, 2026, 2:43:17 PMMar 11
to ZAP User Group
you are a star! Thanks :-)
Reply all
Reply to author
Forward
0 new messages