OWASP Zed Attack Proxy
OWASP ZAP is another excellent tool for pentesting web applications. It’s installed by default within Kali and is completely free. It’s not necessarily a mass vulnerability scanner like OpenVAS, but more of an automated web app enumeration tool - at least that’s how I see it.
It has many functions including passive & active scanning, fuzzing capabilities, webcrawling, plugins (ZEST, Jenkins, etc) and much more. For now, I’ll be discussing the basics.
Once you configure your browser to use a manual proxy (similar to burp), you can get started.Be advised, an active scan will produce a lot of traffic.
Web Form brute forcing
CLI password tools are great, but sometimes it’s much more efficent to use a GUI - especially on a web form.
Once ZAP is setup, navigate to the web form you are to brute force. Type in some bogus creds into the username and password fields. ZAP will capture this traffic with the values being posted.
- Find the request under the Sites or History tab and highlight it. This should show the credentials you’ve passed into the app.
- Highlight the username and/or password under the Request tab. The variable you highlight is what you’ll fuzz, or run your wordlist against.
- Now right-click the highlighted portion > Fuzz > Payloads… > Add > File
- Browse to your desired wordlist Add > Start Fuzzer.
- Once complete, sort by “Size Resp. Header” or “Size Resp. Body”
- Since ZAP is fuzzing, it’s not really looking for a successuful login attempt. You’ll have to find a different size response header, highlight it and check the Response body.
- If the login is successful the web app should bring you to a new page, right? The Response body should have some indication that the login has been successful.
- Usually you can eyeball for a the html for a success, but you can use linux diff or meld commands, or use notepad++’s compare plugin.