OWASP's ZAP and the Fuzz ability

James Craig picture James Craig · Dec 30, 2013 · Viewed 11.1k times · Source

My scenario:

I navigate to a login page. I put in a known username with a bad password. ZAP picks this up no issue.

I select the POST to the login page. I find the lines that contain the Username and password. The password: ctl00%24ContentPlaceHolder1%24cpLoginAspx%24ctl00%24LoginControl1%24LTLogin%24Password=12345&

I highlight the 12345 and right click to select Fuzz. I had put in a custom list with the correct password for the test account and I select that.

When I do, it works its way through the list as I expected. Changing the 12345 to the various options in the list.

But, when it gets to the word I KNOW is the correct password. It does nothing different to alert me that it was correct. The password in this case was Password5. I expected that it would reflect or something showing it was directed to a new page. But, that happens for 'password' which is not correct for the test user.

I see this in the Fuzzer tab: enter image description here

Answer

Simon Bennetts picture Simon Bennetts · Dec 31, 2013

OK, I think the first point you're raising is that ZAP doesnt pick up that you've tried an invalid password. That is not a security risk - you supplied a bad password, the app didnt let you in. Everything's working as it should.

ZAP will only alert you of vulnerabilities via the active or passive scanners. The fuzzer is for manual testing. If we work out a way to automate the detection of a vulnerability then we put that in the active or passive scanners :) So you have to interpret the fuzzer results rather than expect ZAP to do that for you. In any case, successfully logging in is not a vulnerability (in ZAPs terms).

What the fuzzer will tell you is if the string you supplied was included in the response (which is useful when looking for XSSs), the response code, the time taken and the response length.

When logging in I'd expect that the response length would be significantly different, so one option would be to look for a response with a length significantly different to the others.

However the easiest option is probably to search the fuzz results. To do this go to the Search tab, select 'Fuzz Results' in the pull down and either search for a string that you know will be shown when you successfully log in, or do in inverse search for a string that you know will be shown when you fail to login.

Does that help?

Note that we do have a load of info on the ZAP wiki, including videos, FAQs and much more: http://code.google.com/p/zaproxy/wiki/Introduction

BTW we do have a ZAP user group which is intended for exactly these sort of questions: http://groups.google.com/group/zaproxy-users You can also access it via the ZAP 'Online / ZAP User Group' menu item. I try to keep an eye on forums, but there are so many that some questions are bound to slip through.

If anyone can suggest how I can convince people to use the ZAP user group (which all the ZAP developers subscribe to) instead of general purpose forums like this (which is very useful for other questions) then I'd be very grateful :)

Simon (ZAP Project Lead)