6

I am a beginner with ZAP. I am trying to use FUZZ logic for the passwords. But I can see that option when I click on the password at the request table but I am not able to click on it, as it is faint and non clickable.

enter image description here

How do I activate it?

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
Manikya
  • 61
  • 3
  • Are you using either Safe or Protected modes? They will cause that option to be disabled (if out of scope in the latter case). If not a full screenshot would help - mask out anything sensitive (such as urls) – Simon Bennetts Dec 19 '16 at 11:18
  • Thanks for your answer. Its not in safe or protected mode. – Manikya Dec 19 '16 at 12:13
  • 1
    Manikya, are you sure?? The screen shot is cut off but I can see the mode pull down (top left) ends in "fe Mode". The only options are Safe, Protected, Standard and ATTACK so I think you're still using Safe Mode :) – Simon Bennetts Dec 20 '16 at 15:25

2 Answers2

4

Can't fuzz in Safe Mode. Core help info on modes here: https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsModes

ZAP has a 'mode' which can be:

  • Safe - no potentially dangerous operations permitted
  • Protected - you can only perform (potentially) dangerous actions on URLs in the Scope
  • Standard - as in previous releases, you can do anything
  • ATTACK - new nodes that are in Scope are actively scanned as soon as they are discovered

It is recommended that you use the Protected mode to ensure that you only attack sites that you mean to.

The mode can be changed via the toolbar (or the ZAP API) and is persisted between sessions.

Examples of the things that will not be possible in either Safe mode or in Protected mode when not acting on URLs in the Scope:

  • Spidering
  • Active Scanning
  • Fuzzing
  • Force Browsing
  • Breaking (intercepting)
  • Resending requests
kingthorin
  • 574
  • 4
  • 6
  • @techraf why on earth would you think that is spam? that is the core documentation of ZAP, the actual tool being asked about... – AviD Mar 22 '17 at 10:59
  • 1
    @AviD Because it was posted three times in a row. I even included a comment linking to all the answers clearly showing what I mean. Sending repeated messages is one of the definitions of spam. Even if the content is not advertising, on SO this might be trying to get reputation for the same answer, or otherwise trying to promote oneself. A year ago I raised a [similar issue on meta](https://security.meta.stackexchange.com/questions/2273/is-posting-identical-multiple-but-reasonable-answers-a-spam) and the consensus (also see the linked chat) was: it is considered spam. – techraf Mar 22 '17 at 11:13
  • It isn't a repeat message, in each case I included links to the specific and relevant help material. I'm making the rounds now to edit/quote the most germane parts. – kingthorin Mar 22 '17 at 16:20
1

It look like that you are using Safe mode based on the screenshot provided. Switch to either Standard mode or Protected mode - in the latter case you'll also have to add the relevant site to the scope.

Simon Bennetts
  • 1,390
  • 7
  • 10