ZAP Fuzzer Scripting: 2FA Brute-Force
323 views
Skip to first unread message
Bruno Ronda
Mar 31, 2022, 10:12:45 AM3/31/22
to OWASP ZAP User Group
Hi Everyone,
Please help me out here with this issue:
I am testing a web app that uses 2FA with flawed logic, so the mfa code is vulnerable to brute force. Like many of you I am lazy and want to focus on the app, not the tool, so decided to automate that testing with a simple script, as shown below:
// generates all 4-digit combinations using the pattern 0000,0001,0002 etc until 9999
function generateCodeMfa () {
var mfaCode = [],n,padded;
for (n=0; n<=9999; n++) {
padded = ('000'+n).slice(-4);
mfaCode.push(padded);
}
return mfaCode
}
//print(generateCodeMfa().join("\n"));
function processMessage(utils, message) {
var mfa-code = message.getRequestBody().setFormParams(generateCodeMfa());
}
function processResult(utils, fuzzResult){
return true;
}
function getRequiredParamsNames(){
return [];
}
function getOptionalParamsNames(){
return [];
}
function generateCodeMfa () {
var mfaCode = [],n,padded;
for (n=0; n<=9999; n++) {
padded = ('000'+n).slice(-4);
mfaCode.push(padded);
}
return mfaCode
}
//print(generateCodeMfa().join("\n"));
function processMessage(utils, message) {
var mfa-code = message.getRequestBody().setFormParams(generateCodeMfa());
}
function processResult(utils, fuzzResult){
return true;
}
function getRequiredParamsNames(){
return [];
}
function getOptionalParamsNames(){
return [];
}
I have the script above under HTTP Fuzzer scripts, but it is not capturing the parameter mfa-code from my app and setting its value to the generated pattern above. Am I missing something here: message.getRequestBody().setFormParams(generateCodeMfa());?
The form to submit the mfa-code has got only one parameter, the mfa code.
Thank you to everybody
Simon Bennetts
Apr 5, 2022, 9:04:51 AM4/5/22
to OWASP ZAP User Group
Are you getting any errors when this script runs?
The HttpRequestBody.setFormParams(postParams) method takes a TreeSet as a parameter: https://javadoc.io/doc/org.zaproxy/zap/latest/org/zaproxy/zap/network/HttpRequestBody.html
I suspect that your generateCodeMfa function is not returning a TreeSet or something that will be cast as one.
You might find it easier to construct the request body yourself rather than using the setFormParams method.
Cheers,
Simon
Bruno Ronda
Apr 11, 2022, 10:45:02 AM4/11/22
to OWASP ZAP User Group
Hi Simon,
No errors when the script runs. In the console it works as expected. Actually, to solve my problem I used the console output with all numbers, copied them to a txt file and loaded the payloads on fuzzer, rather than generating the payloads on the fly.
Will have a look at the link you shared and if the issue persists, or if I fix it, let the Group know.
Truly yours
Simon Bennetts
Apr 11, 2022, 10:58:04 AM4/11/22
to OWASP ZAP User Group
FYI you dont actually need to write a scipt for this (although scripts should work in any case).
Cheers,
Simon
Bruno Ronda
May 6, 2022, 3:29:18 PM5/6/22
to OWASP ZAP User Group
Thanks Simon. That article you pointed me to is really great. Issue solved
Reply all
Reply to author
Forward
0 new messages