During a recent security review I was working on a very simple web application. I needed to determine the size of a payload that would result in a “payload too large” message from the server. The idea being to start with a single character (A) and then (AA) and then (AAA) etc. until the response message changed. I could have done this with Python but as I already had a copy of ZAP open I decided to use it instead. My initial assumption was that this would be easy and straight forward. I was however surprised to find it was not. Thankfully I discovered a solution in the form of the ZAP regular expression payload generator.
First, I captured a message and sent it to the fuzzer. Then I edited the message and inserted a token where I wanted the payload to grow in size. Then set up a payload using the ZAP regular expression payload option with the regular expression being A+. I chose 10 iterations for the max payloads as an example here, like so.
You could also use this technique for directory traversal-style attacks. This is especially useful if you have a specific file that you want to try to visit rather than the usual /etc/passwd which is included in most common static directory file lists. For instance, here’s how you would try to traverse to a file called /home/user/your-specific-file.
First, set up the regex payload like so (\.\./)+, and use as many max payloads / iterations as you wish.
Then add a processor to add a ‘Postfix String’ type to amend your specific file path as a value to the auto-generated regex payload like so:
Complete the job by clicking ‘Add’ a few times and launch your fuzz.