Fuzzing on ZAP

Options Fuzz screen

Mon, 01 Jan 0001 00:00:00 +0000

Options Fuzzer screen

This screen allows you to configure the fuzzing options:

Default Category

The category that will initially be selected when the Fuzz dialog is displayed.

Fuzzer dialog

Mon, 01 Jan 0001 00:00:00 +0000

Fuzzer dialog

This allows you to select the fuzzers to use when fuzzing a request.

Fuzz Locations tab

To configure the fuzzing:

HTTP Message Processors

Mon, 01 Jan 0001 00:00:00 +0000

HTTP Message Processors

HTTP Message Processors can access and change the HTTP messages being fuzzed, control the fuzzing process, and interact with the ZAP UI.

Built-in HTTP Message Processors include:

Anti-CSRF Token Refresher

Allows to refresh anti-CSRF tokens contained in the request. The anti-CSRF tokens must be properly detected by ZAP to be able to use this processor.
For more information consult the help page “Getting Started” > “Features” > “Anti CSRF Tokens”.
Note: This processor is automatically added to the list of processors, if anti-CSRF tokens were detected.

Fuzz Location Processors dialog

Mon, 01 Jan 0001 00:00:00 +0000

Fuzz Location Processors dialog

This allows you to select the payload processors to use with all payload generators.

The built-in payload processors included are the same that are available via the Payload Processors dialog.

Accessed via


	Fuzzer dialog ‘Processors…’ button


	Fuzzer concepts

Payloads dialog

Mon, 01 Jan 0001 00:00:00 +0000

Payloads dialog

This allows you to select the payload generators to use when fuzzing a request.

Payload generators generate the raw values or attacks that the fuzzer submits to the target application.

The following types of generators are provided by default:

Empty/Null - generates the selected payload multiple times, leaving the message without changes. This payload generator is useful to send multiple messages that are later processed, for example, with a Fuzzer HTTP Processor (Script).
File - select any local file for one off attacks
File Fuzzers - select any combination of the fuzzing files registered with ZAP, e.g. via add-ons like fuzzdb
Numberzz - allows to easily generate a sequence of numbers, with custom increment
Regex - generate attacks based on regex patterns
Strings - raw strings, which can be entered manually or pasted in
Script - custom scripts that can generate any payloads required
Json - generate attacks by fuzzing the provided json

You can write custom payload generator scripts - these can supply any payloads that you need.

Payload Processors dialog

Mon, 01 Jan 0001 00:00:00 +0000

Payload Processors dialog

This allows you to select the payload processors to use with specific payload generators.

Built-in payload processors include:

Base64 Decode
Base64 Encode
Expand (to a minimum specified length)
JavaScript Escape
JavaScript Unescape
MD5 Hash
Postfix String
Prefix String
SHA-1 Hash
SHA-256 Hash
SHA-512 Hash
Trim
URL Decode
URL Encode

You can also write custom payload processor scripts - these can perform any manipulation of the payload that you need.

Fuzzer tab

Mon, 01 Jan 0001 00:00:00 +0000

Fuzzer tab

The Fuzzer tab shows you the requests and responses performed when you fuzz a message.
Select a row to see the full requests and responses. You can also search for strings in the fuzz results using the ‘Search’ tab.

HTTP Fuzzer results

The results have to be manually assessed to know if any vulnerability was found.

Fuzzing on ZAP

Options Fuzz screen

Options Fuzzer screen

Default Category

Fuzzer dialog

Fuzzer dialog

Fuzz Locations tab

HTTP Message Processors

HTTP Message Processors

Anti-CSRF Token Refresher

Fuzz Location Processors dialog

Fuzz Location Processors dialog

Accessed via

See also

Payloads dialog

Payloads dialog

Payload Processors dialog

Payload Processors dialog

Fuzzer tab

Fuzzer tab

HTTP Fuzzer results