Professional Documents
Culture Documents
05 3 Fuzzing
05 3 Fuzzing
Fuzzing
Prerequisites: None
OWASP ZAP (Zed Attack Proxy) is an open-source DAST tool to find security vulnerabilities in
web applications. It includes both automated scanning for vulnerabilities and tools to assist
expert manual web app pen testing.
Steps to be followed:
After clicking on the firefox icon, a new Firefox browser should open with the
following message:
1.2 In the Firefox browser, type the following link in the URL:
http://testphp.vulnweb.com/
Note: These credentials are invalid and will fail. However, OWASP ZAP will capture these
values.
Step 2: Applying an automated SQL Injection attack on the site using fuzzing
2.1 In the OWASP ZAP application, expand the vulnerable application link in the Sites panel.
Next, click on the Request & Response tab
Note: You should see the uname and pass values entered in Step 1.5.
2.4 In the Add Payload window, select File Fuzzers from the dropdown
2.5 Expand jbrofuzz, select Injection->MySQL Injection 101, and click on Add button
2.6 In the Fuzzer window, select pass value admin. Click the Add button to add a new Fuzz
location for the password, and repeat Steps 2.3 to 2.6 to add payload for the password
2.7 In the Fuzzer window, click the Start Fuzzer button
Note:
● The scan should complete in a few minutes. You can see the scan results in the
Fuzzer tab.
● Click on the Code tab to sort the response code. Code 200 represents a
successful attack.
● Click on any one response with code 200 to see the successful values for
admin/password used for SQL injection.