HelpAddonsFuzzHttpmessageprocessors
The HTTP Message Processors can access and change the HTTP messages being fuzzed, control the fuzzing process and interact with the ZAP UI.
Built-in HTTP Message Processors include:
Allows to refresh anti-CSRF tokens contained in the request. The anti-CSRF tokens must be properly detected by ZAP to be able to select and add this processor. For more information consult the help page "Getting Started" > "Features" > "Anti CSRF Tokens".
Allows to select the enabled Fuzzer HTTP Processor scripts. The scripts allow you to:
- Obtain the list of payloads
- Stop fuzzing
- Increase the error count
- Send new messages
- Add messages to the Results tab
- Set custom ‘state’ messages in the Fuzzer tab
- Raise alerts
Indicates in the State column of results table if one of the injected payloads were found in the response, using "
Reflected".
Updates (or adds, if not already present) the Content-Length request header with the length of the request body, for all request methods. No change is done if the size of the request body is zero and the header is not already present.
Allows to add custom ‘tags’, based on contents of the response, to the State column of the results table
Allows to fuzz as a user, using one of the users defined in the contexts that include the HTTP message being fuzzed. Users must exist to be able to select and add this processor.
Other add-ons can define additional HTTP Message Processors.
| Fuzzer dialog under Message Processors tab |
| Fuzzer concepts |
-
ZAP User Guide
- Introduction
-
Getting Started
- Configuring proxies
-
Features
- Active Scan
- Add-ons
- Alerts
- Anti CSRF Tokens
- API
- Authentication
- Break Points
- Callbacks
- Contexts
- Data Driven Content
- Filters
- Globally Excluded URLs
- HTTP Sessions
- Man-in-the-middle Proxy
- Modes
- Notes
- Passive Scan
- Scan Policies
- Scope
- Session Management
- Spider
- Statistics
- Structural Modifiers
- Structural Parameters
- Tags
- Users
- Scanner Rules
- A Simple Penetration Test
-
The User Interface
- Overview
- The Top Level Menu
- The Top Level Toolbar
- The Tabs
-
The Dialogs
- Active Scan
- Add Alert
- Add Break Point
- Add Note
- Encode/Decode/Hash
- Filter
- Find
- History Filter
- Manual Request Editor
- Manage Add-ons
- Manage Tags
-
Options
- Active Scan
- Active Scan Input Vectors
- Alerts
- Anti CSRF Tokens
- API
- Breakpoints
- Callback Address
- Certificate
- Check for Updates
- Connection
- Database
- Display
- Dynamic SSL Certificates
- Extensions
- Global Exclude URL
- HTTP Sessions
- JVM
- Keyboard
- Language
- Local Proxies
- Passive Scan Rules
- Passive Scan Tags
- Passive Scanner
- Rule Configuration
- Scripts
- Search
- Spider
- Statistics
- Persist Session
- Resend
- Scan Policy Manager
- Scan Progress
- Session
- Spider
- The Footer
- Command Line
- Add Ons
- Releases
- Paros Proxy
- Credits
