In last post we saw how to setup ZAP proxy -
Spider And Active Scan
Whenever you decide to attack an URL that you see in ZAP's home page ZAP will crawl the page, find out other relevant links that the base URL may refer to in response. It also figures out GET/POST requests applicable. This is basically spider attack.
For demo purposes I am going to attack following URL -
It' a simple problem where you have to exploit few vulnerabilities to guess the password :)
Next ZAP will scan all the relevant applicable URL with test request params. It shows various attributes like response code, response bytes etc. You can also see the raw request/response with right click the request entry in Active scan. You can also see list of applicable URLs in the left panel.
NOTE : One good trick to inspect irregular behavior is to inspect the size of response and inspect further the ones you see fishy.
Another useful feature is "Resend" . Just right click the request on left panel and select resend. You can then edit the request as per your wish (edit request params, headers add cookies etc) and send.
This is a very handy feature that I loved in ZAP. Input a String and it will give you it's Encoding/Decoding/Hash whatever you need -
You can access this from Tools -> Encode/Decode/Hash
If you don't know what fuzzing is -
"Fuzz testing or Fuzzing is a Black Box software testing technique, which basically consists in finding implementation bugs using malformed/semi-malformed data injection in an automated fashion. "
More details -
select the URL you want to fuzz -> Right click -> Attack -> Fuzz
You will need to highlight the area you want to fuzz and select add payload. The highlighted area can be anything - request parameter, cookie value, header etc. Also payload can be anything list of strings, scripts to be injected random values , alphabets etc.
Sample example is screenshot below -
In above example I have highlighted "ZAP" which is the password. So I am going to fuzz various values of passwords. Next click Add to add payloads. You can define your own sets of string as well. I am using inbuilt file fuzzer that provided pre defined sets of strings. Finally click "Start Fuzzer" to start fuzzing.
NOTE : Again as I mentioned before it is always advantageous to sort response size to check unusual response to exploit :)
So far I have explored these. Will keep you updated :)