ZAP: Grep extract in Fuzzer to detect username enumeration via subtly different responses

 Posted on April 3, 2025  |  2 minutes  |  372 words

Introduction

When testing for issues such as user enumeration, the response time and size may not always be ideal indicators as the response length may be the same but the content may differ only slightly.

To ensure this is not overlooked, the “Tag Creator” message processor in the Fuzzer (for OWASP ZAP) can be used to perform a grep match for text matching a given regular expression and then extract the application’s error text to help detect even subtle differences in the application response.

Initial enumeration

We first need to attempt to login to the application with an invalid username and observe the failed login error message. This will help us create a regex pattern that matches known invalid login attempts.
This is achieved as follows:

  1. Capture a login POST request in ZAP for a login attempt for an invalid username (such as ‘userdoesntexist’):
  1. Observe the application response with error text (i.e. ‘Invalid username or password.’):
  1. Take note of the entire line in the response, as this will be useful in our string match configuration, as follows:
<p class=is-warning>Invalid username or password.</p>
  1. Double click on ‘userdoesntexist’ in the request window, then click on “Fuzz…” to send the request to the Fuzzer:

Fuzzer configuration

  1. In the Fuzzer window, click the “Payloads…” button and load your desired payload (e.g. a file containing usernames to test):
  1. Click on the “Message Processors” tab, remove “2 Payload Reflection Detector”, then click “Add” and select “Tag Creator”:
  1. Enter the following as the Extract Regex (to return all text within the ‘p’ tags, i.e. the application error) then click “Add”:
<p class=is-warning>(.*?)</p>
  1. The “Message Processors” tab should now appear as follows:

Execution and results

  1. When ready, click “Start Fuzzer” and observe the results in the Fuzzer output window:
  1. Click the “State” tab to sort the extracted text (as defined with our regex) to observe one response differs slightly (i.e. ‘Invalid username or password ’ instead of ‘Invalid username or password.’) which indicates the valid, enumerated username:

Conclusion

This concludes the basic use of the ZAP Tag Creator function within the Fuzzer tool for tasks such as user enumeration.
Feel free to contact us if you have any questions or would like to schedule a meeting to discuss anything further.

zap