Help With Question -> Proxies/ZAP Fuzzer

The directory we found above sets the cookie to the md5 hash of the username, as we can see the md5 cookie in the request for the (guest) user. Visit ‘/skills/’ to get a request with a cookie, then try to use ZAP Fuzzer to fuzz the cookie for different md5 hashed usernames to get the flag. Use the “top-usernames-shortlist.txt” wordlist from Seclists.

Can you give me more detailed instructions what to do?
Thank you so much


Unfortunately it does not work. What am I doing wrong?

Took me time to get this, but you’re in good position.

So after setting up your Payload with “084…” you need to set your processors to md5 hashes and then in the fuzzers tab all will appear with 200 and just resend to the browser to view the flag

1 Like

For anyone else stuck with this, this article helped me - How are cookies passed in the HTTP protocol? - Stack Overflow

1 Like

where can I found the “top-usernames-shortlist.txt” wordlist ?

Try : /opt/useful/SecLists/Usernames/top-usernames-shortlist.txt

I do not understand why I can’t do it, I fuzz the cookie 084 … But when I look at the answer, it is always 084, why?

1 Like

Wanted to hop on here to say this was the straw that broke the camel’s back for me.

Feel there is a severe lack of direction. Will be continuing my bug bounty learning path on PortSwigger and cancelling my account here.

Good luck everyone on your journey, when something does not work, try a different way, a different perspective.


You know what, I’m beginning to get there. I really don’t understand why more information isn’t put into some of these sections? Or even a short video walk-through would be helpful. I do admit that at times I’m simply missing something and when I go back over it I can figure it out. However, this one really does appear to be missing some key info. Like where is it explained here in this section on how to use a wordlist like the one mentioned in the question? Also, when it says to “fuzz the cookie” is that whole thing so cookie=034e0343a0486ff05530df6c705c8bb4? Or is it just the hash after the =? I mean how hard would it be to just provide a bit more clarity in these instructions?

1 Like

For those struggling, once you have fuzzed usernames that you have modified to be MD5 hashed encoded, look for the Size Resp. Body that is different.

From there you can right click and open in requester tab The flag is in the response body.

ZAP’s UI was very clunky, so I had to adjust the window sizes to see things clearly. So bear that in mind if you are struggling to navigate the app and it seems not to make sense…it might not be you that’s the problem :wink:

For those throwing the towel after failed attempts, maybe pentesting isn’t for you (Please be persistent). Looks like all you need to do, is observe the resp. header size and send it to the requester tab. Method must change as well. Think GET vs POST? And you will be done with it. Still, I share your frustration about ZAP, but it’s all we got. Burp wouldn’t give a discount nor student access.

bro thanks so much for your help!

1 Like

it was not hard at all. Just visit http://ip:port/skill/ just like question says.
Then your response contains a cookie.
Then use ''Open/Resend with request editor". Now you can select the cookie.

good luck


The task looks pretty simple, but after fuzzing all the cookies I still do not see the flag in any of the responses. Checked the ones with different content-length, checked every line manually, resetted the target and repeated, and to eliminate the ZAP GUI game with the response windows size even checked all cookies manually directly from cli with curl. No one attempt returned the flag on the page.

Any Ideas please?

Solved with curl after multiple resets of the target…

I solved it. You perform FUZZing with cookies (MD5 hash). Then, select any request and resend it using the Request Editor. You will be able to observe any requests you send with different cookies. After the Send process, the cookie will be set to ‘084e0343a0486ff05530df6c705c8bb4’.
The reason is that you clicked to disable ‘Accept Cookie.’ Then, set the Request Cookie to ‘ee11cbb19052e40b07aac0ca060c23ee.’
=>complete this Section

So, I completed this challenge by reading this thread. First of all, I needed to understand the correct use of Set-Cookie and Cookie, and then look for all the steps in ZAP, which is very hard. I don’t know what’s happening with the ZAP UI, but it’s very messy. For new users searching for help, try setting cookies with MD5 if you know what I mean ;).
And don’t give up, it took me 2 days.!!!

For everybody who is stuck you should try as followed to get the right request and response.

  • Open the target spawn address with port in the per-configured browser from the button in Zap, with /skills/ added: http://x.x.x.x:yyyyy/skills/

  • Within the HUD enable Break and reload the page

  • Check if the cookie is defined in the GET request/ break
    –you can either review back in Zap in the Break section shown and right mouse-click and select Fuzz…
    –you can copy the text from the HUD, open Fuzz from the tools in Zap, Select the GET under the skills folder and review if the cookie is present, if not, click Edit replace the request with the data copied earlier in the HUB.

  • Select only the cookie value

  • Add a payload as a file from the question, either in /opt/usefull/wordlists or /usr/share/wordlists

  • Add MD5 Hashes as processor

  • In the Options set concurrent scanning to 20

  • Start Fuzzing!

Review the responses, 1 will be noticeable different in Size Resp. Body and right mouse-click and select “Open in Requester Tab…”

  • Review that the cookie value is different in the Request page and it is the value shown in the Payloads tab in the results from fuzzing (previous step)
  • Click on Send and review the response in the lower right corner, you should see what you re looking for.

I hope this helps…


i’ve tried this

then i got what? a piece of sh*t

what a m****f**ker module, is there anybody really using the ZAP?

1 Like