Fuzz
The main options we need to configure for our Fuzzer attack are:
- Fuzz Location
- Payloads
- Processors
- Options
Locations
The Fuzz Location is very similar to Intruder Payload Position, where our payloads will be placed. To place our location on a certain word, we can select it and click on the Add button on the right pane. So, let’s select test and click on Add:
Payloads
The attack payloads in ZAP’s Fuzzer are similar in concept to Intruder’s Payloads, though they are not as advanced as Intruder’s. We can click on the Add button to add our payloads and select from 8 different payload types. The following are some of them:
File: This allows us to select a payload wordlist from a file.File Fuzzers: This allows us to select wordlists from built-in databases of wordlists.Numberzz: Generates sequences of numbers with custom increments.
Processors
We may also want to perform some processing on each word in our payload wordlist. The following are some of the payload processors we can use:
- Base64 Decode/Encode
- MD5 Hash
- Postfix String
- Prefix String
- SHA-1/256/512 Hash
- URL Decode/Encode
- Script
Options
Finally, we can set a few options for our fuzzers, similar to what we did with Burp Intruder. For example, we can set the Concurrent threads per scan to 20, so our scan runs very quickly:
We may also choose to run through the payloads Depth first, which would attempt all words from the wordlist on a single payload position before moving to the next (e.g., try all passwords for a single user before brute-forcing the following user). We could also use Breadth first, which would run every word from the wordlist on all payload positions before moving to the next word (e.g., attempt every password for all users before moving to the following password).
Start
With all of our options configured, we can finally click on the Start Fuzzer button to start our attack. Once our attack is started, we can sort the results by the Response code, as we are only interested in responses with code 200: