问题描述
我开始使用 ZAP,到目前为止我真的很喜欢它,但我错过了一个选项,或者我找不到它。 Burp 有一个名为“pitchfork”的有效载荷模式,您可以一次增加两个有效载荷。有这样的 ZAP 吗? 谢谢
解决方法
这是您完成所需的方式。
假设我的回答/示例有以下请求:
GET http://localhost:8090/bodgeit/product.jsp?typeid=3&foo=3 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Host: localhost:8090
假设 typeid 和 foo 是您想要分叉的参数值。您将在 ZAP 中创建一个 Payload Generator 脚本,如下所示(这是对默认模板的一个简单的小调整,代码示例后概述了下面的重要区别):
// Auxiliary variables/constants for payload generation.
var NUMBER_OF_PAYLOADS = 10;
var INITIAL_VALUE = 1;
var count = INITIAL_VALUE;
var MID= '&foo='
/**
* Returns the number of generated payloads,zero to indicate unknown number.
* The number is used as a hint for progress calculations.
*
* @return {number} The number of generated payloads.
*/
function getNumberOfPayloads() {
return NUMBER_OF_PAYLOADS;
}
/**
* Returns true if there are still payloads to generate,false otherwise.
*
* Called before each call to next().
*
* @return {boolean} If there are still payloads to generate.
*/
function hasNext() {
return (count <= NUMBER_OF_PAYLOADS);
}
/**
* Returns the next generated payload.
*
* This method is called while hasNext() returns true.
*
* @return {string} The next generated payload.
*/
function next() {
payload = count;
count++;
return payload+MID+payload;
}
/**
* Resets the internal state of the payload generator,as if no calls to
* hasNext() or next() have been previously made.
*
* Normally called once the method hasNext() returns false and while payloads
* are still needed.
*/
function reset() {
count = INITIAL_VALUE;
}
/**
* Releases any resources used for generation of payloads (for example,a file).
*
* Called once the payload generator is no longer needed.
*/
function close() {
}
注意:MID 常量的声明,它是两个参数值之间字符串的中间部分。修改 next() 方法,为两个参数值返回相同的值,并在其间插入“MID”字符串。
在请求突出显示 3&foo=3 中右键单击并选择“Fuzz...”。单击“有效载荷”按钮,单击“添加”按钮,将“类型”下拉列表设置为“脚本”,在下拉列表中按名称选择“脚本”(我称我的为“干草叉”)。 (如果您愿意,可以“生成预览”。)单击“添加”按钮。单击“确定”按钮。单击“启动模糊器”。您现在已经在 ZAP 中运行了“干草叉”模糊测试。
产生以下有效载荷:
1&foo=1
2&foo=2
3&foo=3
4&foo=4
5&foo=5
6&foo=6
7&foo=7
8&foo=8
9&foo=9
10&foo=10
注意事项:
- 假设您正在对普通的 GET 或 POST 进行模糊测试,您应该可以随意订购参数。 (目标“不应该”关心参数的顺序,您可以将它们复制/粘贴到您需要的任何顺序并手动发送请求。)如果它是某种格式良好的内容(JSON/XML 或其他),那么您可以把
MID变成一个巨大的字符串... - 如果您想从文件访问负载,您可以安装/使用脚本插件,例如 Python (Jython)。
如果您想根据与初始注入相同的有效负载来处理标头,那么您需要做一些细微的变化。
创建一个“Fuzzer HTTP 处理器”脚本,它只是模板的一个微小变化。以下示例仅检查 foo 中有效负载的值并在标头中使用它:
/**
* Processes the fuzzed message (payloads already injected).
*
* Called before forwarding the message to the server.
*
* @param {HttpFuzzerTaskProcessorUtils} utils - A utility object that contains functions that ease common tasks.
* @param {HttpMessage} message - The fuzzed message,that will be forward to the server.
*/
function processMessage(utils,message) {
// To obtain the list of payloads:
// utils.getPayloads()
// To obtain original message:
// utils.getOriginalMessage()
// To stop fuzzer:
// utils.stopFuzzer()
// To increases the error count with a reason:
// utils.increaseErrorCount("Reason Error Message...")
// To send a message,following redirects:
// utils.sendMessage(myMessage)
// To send a message,not following redirects:
// utils.sendMessage(myMessage,false)
// To add a message previously sent to results:
// utils.addMessageToResults("Type Of Message",myMessage)
// To add a message previously sent to results,with custom state:
// utils.addMessageToResults("Type Of Message",myMessage,"Key Custom State","Value Custom State")
// The states' value is shown in the column 'State' of fuzzer results tab
// To get the values of the parameters configured in the Add Message Processor Dialog.
// utils.getParameters()
// A map is returned,having as keys the parameters names (as returned by the getRequiredParamsNames()
// and getOptionalParamsNames() functions below)
// To get the value of a specific configured script parameter
// utils.getParameters().get("exampleParam1")
// Process fuzzed message...
var payload = null;
for (var iterator = message.getUrlParams().iterator(); iterator.hasNext();) {
var urlParam = iterator.next();
if (urlParam.getName() == 'foo') {
payload = urlParam.getValue();
break;
}
}
message.getRequestHeader().setHeader("X-Some-Id",payload);
}
/**
* Processes the fuzz result.
*
* Called after receiving the fuzzed message from the server.
*
* @param {HttpFuzzerTaskProcessorUtils} utils - A utility object that contains functions that ease common tasks.
* @param {HttpFuzzResult} fuzzResult - The result of sending the fuzzed message.
* @return {boolean} Whether the result should be accepted,or discarded and not shown.
*/
function processResult(utils,fuzzResult){
// All the above 'utils' functions are available plus:
// To raise an alert:
// utils.raiseAlert(risk,confidence,name,description)
// To obtain the fuzzed message,received from the server:
// fuzzResult.getHttpMessage()
// To get the values of the parameters configured in the Add Message Processor Dialog.
// utils.getParameters()
// A map is returned,having as keys the parameters names (as returned by the getRequiredParamsNames()
// and getOptionalParamsNames() functions below)
// To get the value of a specific configured script parameter
// utils.getParameters().get("exampleParam1")
return true;
}
/**
* This function is called during the script loading to obtain a list of the names of the required configuration parameters,* that will be shown in the Add Message Processor Dialog for configuration. They can be used
* to input dynamic data into the script,from the user interface
*/
function getRequiredParamsNames(){
return [];
}
/**
* This function is called during the script loading to obtain a list of the names of the optional configuration parameters,from the user interface
*/
function getOptionalParamsNames(){
return [];
}
您只需选择要模糊测试的参数值。在上面的例子中,如果你想模糊 foo,你只需选择 3。像上面一样设置模糊器(您可以使用内置生成器而不是脚本),但在“消息处理器”选项卡中添加“消息处理器”,运行模糊器。
基于这个例子,foo 应该得到 1 到 10 的值,并且每个请求都会添加一个标头,例如 X-Some-Id: 1(其中 Id 是 ` 到 10与有效载荷保持同步)。
当然你也可以做一个子字符串、编码等。它不必完全相同。