Lesson 4 Demo 2

Fuzzing

Objective: To use fuzzing with OWASP ZAP

Tools required: Windows 10 VM

Prerequisites: None

OWASP ZAP (Zed Attack Proxy) is an open-source DAST tool to find security vulnerabilities in
web applications. It includes both automated scanning for vulnerabilities and tools to assist
expert manual web app pen testing.

Fuzzing is an automated software testing approach that involves randomly introducing

erroneous and unexpected inputs and data into a computer program to identify coding flaws
and security gaps.

Steps to be followed:

1. Targeting a site using OWASP ZAP

2. Applying an automated SQL Injection attack on the site using fuzzing

Step 1: Targeting a site using OWASP ZAP

1.1 Launch windows 10 VM, open OWASP ZAP, and click on the link to open Firefox browser
preconfigured to proxy through ZAP
 Note: If the Firefox icon is not visible due to screen resolution, try to increase the
resolution to max (refer to lab guide).

After clicking on the firefox icon, a new Firefox browser should open with the
following message:

Explore your application with ZAP

1.2 In the Firefox browser, type the following link in the URL:

http://testphp.vulnweb.com/

1.3 Click Continue to your target to proceed

 Note: If the page has an error while loading, try to increase the connection timeout
(refer to the screenshot below) or refresh the page.

1.4 Click on Your Profile link

 1.5 In the username and password fields, enter admin and admin respectively (or any other
value)

Note: These credentials are invalid and will fail. However, OWASP ZAP will capture these
values.

Step 2: Applying an automated SQL Injection attack on the site using fuzzing
2.1 In the OWASP ZAP application, expand the vulnerable application link in the Sites panel.
Next, click on the Request & Response tab
 Note: You should see the uname and pass values entered in Step 1.5.

2.2 Right-click on the uname value admin and select Add

2.3 In the Payloads window, click the Add button

2.4 In the Add Payload window, select File Fuzzers from the dropdown
2.5 Expand jbrofuzz, select Injection->MySQL Injection 101, and click on Add button
2.6 In the Fuzzer window, select pass value admin. Click the Add button to add a new Fuzz
location for the password, and repeat Steps 2.3 to 2.6 to add payload for the password
2.7 In the Fuzzer window, click the Start Fuzzer button
Note:

● The scan should complete in a few minutes. You can see the scan results in the
Fuzzer tab.

● Click on the Code tab to sort the response code. Code 200 represents a
successful attack.

● Click on any one response with code 200 to see the successful values for
admin/password used for SQL injection.