• Home
  • Blog
  • Testing
  • Implement Brute Force Attack Using OWASP Zed Attack Proxy ( ZAP)

Implement Brute Force Attack Using OWASP Zed Attack Proxy ( ZAP)

Back to Blog
Feature image of ZAP blog
06May

Implement Brute Force Attack Using OWASP Zed Attack Proxy ( ZAP)

By Testing , , , , Comments Off on Implement Brute Force Attack Using OWASP Zed Attack Proxy ( ZAP)

What is a Brute Force Attack?

An application program can utilize a brute-force attack as a trial-and-error technique to decode encryption Keys and login credentials to access systems without authorization. Rather than using clever tactics, applying brute force is a laborious endeavor.

A brute-force attack on an application tries every possible combination of characters that are allowed in a sequence, much like a thief could try numerous combinations to get into and crack a safe.

Cyberattackers usually execute a brute-force attack to get into a network, account, or website.

Automated tools are often used in a basic brute-force attack to attempt every password until the right input is found. This is an outdated but still powerful attack technique for figuring out -popular passwords.

What are the different types of Brute-Force Attacks?

1) Credential Stuffing

Credential stuffing happens when an attacker attempts to access several systems using the same username and password combination after compromising a user account.

2) Reverse Brute Force Attack

The attacker first gains access to the network and data by using a common password or one they already know against several usernames or encrypted To determine the proper username, the hacker will next apply the same method as in a standard brute-force attack.

3) Dictionary Attack

Another kind of brute-force attack is a dictionary attack, in which every word in a dictionary is searched for a password. To break longer passwords, attackers can add characters, digits, and other elements to words.

How to Prevent Brute Force Attack?

  • Increase password length
  • Increase password complexity
  • Limit login attempts
  • Two Factor Authentication (2FA)
  • Use OTP

What is OWASP Zed Attack Proxy (ZAP)?

Developers, pen testers, and beginners all frequently use OWASP ZAP, an open-source web application security tool. The ZAP project is recognized as one of the best projects that is actively maintained by a global network of security researchers. To check for vulnerabilities, it proxies HTTP traffic and permits inspection, modification, and resending of that data. Other capabilities of ZAP include Passive Scanner, Fuzzer, which does automated scans and spider web applications, and many more.

How to Setup ZAP?

  • First, download the ZAP from here https://www.zaproxy.org/download/
  • Execute the installer
  • Open ZAP when the installation is finished and review the license terms. If you agree to the terms, click Agree. ZAP will install itself and launch automatically after that.

Configure ZAP Proxy Setting

You will be asked to continue the ZAP session when you first launch it. ZAP sessions are automatically stored on a disc in a database with an assigned name and location. When you exit ZAP, such files are erased if you choose not to persist the session. Click Start after selecting No, I do not want to persist this session at this moment in time. ZAP sessions won’t continue for the time being.

Image of ZAP SessionGo to “Tools” and Select “Options”

Image of ZAP DashboardSelect Local Proxies to verify that your address set the localhost or 127.0.0.1 and Port number to 8080. When you configure the browser we need to assign the same port number

Image of local servers

Configure the Proxy Setting in the Web Browser Firefox

The port number should match with Port Number in ZAP Proxy Settings. Here ZAP Proxy port number is 8080.

Image of Proxy access to internet

BruterForce WebLogin

Let’s use brute force to obtain credentials from a form. Let’s see if we can use Zap to launch a Brute-Force attack to obtain credentials although we already know it. The username is – Admin, Password is – Admin

Image of AltoroMutual

Then Find the POST request and click and Attack> Fuzz menu

Image of Fuzz Menu

Next, add a wordlist and highlight the password we used. This allows us to select the request section that we want to update with new information.

Image of Fuzz LocationsClick on the Fuzz location dialog and  “Add….” Button.

Click on the Payload dialog and click on the “Add …”

Select String (mostly select file ) and paste all passwords as we already created in the file.

Image of quick start

Click on the Add Payload dialog “Add” button.

Click on the Payload dialog “OK” button.

Press the “Start fuzzer” button.

Image of Start fuzzer

The requests will be shown in the ‘Fuzzer’ Tab at the bottom.

Image of fuzzer tab

Now we will able to successfully log in to the application with this highlighted password.

Share this post

Author

Richa Sharma

Richa Sharma is a Test engineer, tech-lover & writer of this blog. She joined Devstringx Technologies in 2020 as a Sr. Test Engineer. She has good experience to work on different-2 testing projects. She loves to share her knowledge and experience through her blog. Her technical blogs inspire and empower readers.

Back to Blog

Related Posts

html-injection
18May

A Detail Tutorial On HTML Injection, Example, Prevention, Mitigation – DS

What is HTML Injection? This HTML injection attack is injecting HTML code through the vulnerable parts of the website. The...

Read More
Feature image for white box testing blog
10Nov

White Box Testing : Everything You Need to Know – Devstringx

If you’ve ever written or read code, chances are you’ve seen examples of white box testing or clear box testing....

Read More
What is Clickjacking
28May

What is Clickjacking | Clickjacking Attack & Mitigation | Devstringx

What is a Clickjacking Attack? Clickjacking is a security testing type of attack that finds tricks to trick a user into...

Read More
Feature image for Watir blog
26Jun

Watir (Web Application Testing In Ruby) – Features, Installation, Pros & Cons | DS

What Is Watir(Web Application Testing In Ruby)? Watir is an open source tool developed using Ruby which helps in automating web...

Read More
Banner for Jmeter Vs Loadrunner Blog
16Sep

Jmeter Vs Loadrunner – Devstringx

JMeter Vs LoadRunner Metrics like- Scalability, speed, response time, reliability, and usage applications are put to the test during the performance...

Read More
ETL Testing
12Oct

What is ETL Testing: Importance, Process, and Types | Devstringx

What Is ETL Testing? ETL Stands for Extraction, Transformation, and Load. So Basically ETL is a process of how data is...

Read More
Feature image on Security testing terminologies
20Oct

Security Testing Terminologies and Concepts – DS

Security testing is used to check the vulnerability and loopholes present in the application. Basic Terminologies of Security Testing  Points that we...

Read More
Feature image for TestCraft blog
01Apr

TestCraft: CodeLess Automation Platform | Devstringx

TestCraft TestCraft is an automation test platform for continuous and regression testing for web applications. It comes with AI (Artificial Intelligence)...

Read More
Feature image for Black box Vs White box testing
21Nov

The Difference Between Black Box Testing and White Box Testing – Devstringx

White box and black box testing are two of the most commonly used software testing methodologies today, but what exactly...

Read More
Feature image for Postman Newman blog
22Jun

Newman Postman Tutorial: New & Fastest Way to Run the Postman Collection – DS

Brief Description of Newman Postman Newman is a command-line runner used for running Postman collections. It allows users to run...

Read More