Comparing multiple HTTP responses in OWASP ZAP

Question

I am doing an authentication lab on portswigger which requires me to compare multiple HTTP requests and find a subtle difference between them in order to find a valid username. However, I dont know how to do this using OWASP ZAP. By any chance could someone help me with this? Thanks!

The lab im trying to do: https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-via-subtly-different-responses

What I am trying to do in ZAP: https://youtu.be/jJ_spcnCLr8?t=111

score 5 · Answer 1 · answered Jul 03 '22 at 11:02

5

When you setup ZAP's fuzzer setup the username payloads, goto the "Message Processors" tab. Remove "Payload Reflection Detector". Add "Tag Creator", set it to "Extract" set the "Regex" as warning>(Invalid.*)<. Run the fuzzer. Sort the results by the "State" column. Note one of the results is subtly different.

answered Jul 03 '22 at 11:02

kingthorin

1,419
9
18

Thanks it worked. Is there a website/place I can find more information about how to use the syntax and stuff? – ilovepalydota Jul 04 '22 at 23:20
regex101.com or regexplanet.com – kingthorin Jul 05 '22 at 00:22

Comparing multiple HTTP responses in OWASP ZAP

1 Answers1