模糊化
Fuzzing is a technique of submitting lots of data to a target (often in the form of invalid or unexpected inputs).
ZAP allows you to fuzz any request using:
- A built-in set of payloads
- Payloads defined by optional add-ons
- 自定义脚本
为了访问 Fuzzer对话框 you can either:
- 右键单击其中一个ZAP选项卡中的请求(如历史记录或站点) 然后选择"攻击/模糊…"
- 在请求选项卡中突出显示一个字符串,右键单击它并选择"模糊…"
- 选择"工具/模糊…"菜单项并选择您想要模糊的请求
有效载荷生成器
Payload Generators generate the raw values or attacks that the fuzzer submits to the target application.
They are managed via the 有效负载对话框.
有效负载处理器
有效负载处理器可用于在提交之前更改指定的负载。
They are managed via the 有效负载处理器对话框.
模糊位置处理器
模糊位置处理器可用于在提交之前更改所有有效负载。
They are managed via the 位置处理器对话框.
消息处理器
Message Processors can access and change the messages being fuzzed, control the fuzzing process, and interact with the ZAP UI.
They are managed via the Fuzzer对话框 "消息处理器"选项卡。
Some of this functionality is based on code from the OWASP JBroFuzz project and includes files from the fuzzdb project.
Note that some fuzzdb files have been left out as they cause common anti-virus scanners to flag them as containing viruses.
You can replace them (and upgrade fuzzdb) by downloading the latest version of fuzzdb and expanding it in the 'fuzzers' library.
另请参阅