Brute-force a form to get credentials with ZAP

One of the options that ZAP has is to bruteforce a form to get credentials.

Lets bruteforce a form to get credentials. Although we already know the credentials, lets see if we can use Zap to obtain credentials through a Bruteforce attack.

If you wanted to do this with BurpSuite, you'd need to intercept the request, and then pass it to Hydra. However, this process is much easier with ZAP!

Make sure the security in the DVWA is on low for this guide.

Navigate to the bruteforce page on DVWA and attempt to login as “admin” with the password “test123”

Now find the GET request and right click >> Attack >> Fuzz...

Highlight the password/Username you attempted to login in with (admin/test123) and add a wordlist.

This selects the area of the request you wish to replace with other data.

Once you loaded the wordlist, click the "Start Fuzzer".

After running the fuzzer, sort the state tab to show Reflected results first. Sometimes you will get false-positives, but you can ignore the passwords that are less than 8 characters in length (in your test lab).

Want to further enhance ZAPs capabilities? Look at some of its downloadable extensions!

A good plugin set is HUNT, to scan for known vulnerabilities in web applications.

To learn how, see the "Bugcrowd HUNT" guide.

All the guides, tips, and tricks on this web site are for education purpose only, the website owner is not accountable for any use of this information

Home

About

Guides