PandP: fuzzer uses the OWASP ZAP REST API to allow us to create fuzzers with the ability to save, modify, and repeat them whenever we want. With its appealing and facilitating UI, operations will become much easier to do.
Once we have configured the settings to connect to the API endpoint, we can create our fuzzer and send it to ZAP. To do so we can use zest script loading so that, once we have a match on the reflected of the request, the script will be generated and sent automatically and we would only have to worry about starting it in OWASP ZAP.
The application is working but still in work in progress....
dev
npm install
npx prisma migrate dev --name init
npm run dev -- -H 127.0.0.1production
npm install
npx prisma migrate dev --name init
npm run build
npm run start -- -H 127.0.0.1change .env variables, especially SECRET ,NEXTAUTH_URL,NEXTAUTH_SECRET for production.
don't usehttp://localhost:{PORT}for NEXTAUTH_URL instead usehttp://127.0.0.0.1:{PORT}
install package.json
$ npm install if You use providers such as Google, Apple, etc... You can setup strategy in api/auth/[...nextauth.ts] on
databaserather thanjwt
run in dev mode
$ npm run devto build
$ npm run buildrun after build
$ npm startmigrate db
$ npx prisma migrate dev --name {name}run prisma studio
$ npx prisma studioto create fuzzers in https, remember to disable TLS ALPN extension that you'll find at this section in OWASP ZAP:
Because OWASP ZAP has limited use of the fuzzer. This tool could cover this gap until ZAP extends the operation of the fuzzer itself, so that it'll become as complete as Burp's ("intruder").
Using zest scripts you have the ability within OWASP ZAP itself to edit and add : conditions, assertion and much more in an easy way. By using it you have more flexibility.