Hello I am using OWASP ZAP 2.41 (last version currently) and I want to fuzz a parameter in a JSON based POST.
This field is first inserted in a HTML form, but it is encrypted with a javascript, and what I can alter with ZAP as far as the request is concerned, is the encrypted field.
What I want is brute force with the non-encrypted values.
I have to say that I have access to the javascript that encrypt the field.
Does anyone know how to carry this out¿? Thank you very much.
You can use a Payload Processor script to encrypt the payloads for the application. There are templates which give more information about the scripts, and a python example here: https://github.com/zaproxy/community-scripts/tree/master/payloadprocessor
If you come up with anything reusable you could submit it for the ZAP Scripting competition: https://www.owasp.org/index.php/2015-08-ZAP-ScriptingCompetition