Unable to see XSS and SQL injections in automated active scan report

[Sridatta S P]

Hi,

We are trying to generate an automated active scan report through python.

Below steps were followed.

1. Record actions of UI in ZAP via proxy

2. Keep the session in zap and browser open.

3. Check the scan policy manager, check injections, all default settings kept as is which included XSS, SQL injections.

4. Run active scan via python by copying URL and access-key

5. Generate an html report

Expected: HTML report should should show XSS, SQL among others

Actual: XSS and SQL injections are missed.

Some observations as below:

1/ Py sample as below: target is the URL and before scanning we connect to zap via python with proxy

scanID = zap.ascan.scan(target)
while int(zap.ascan.status(scanID)) < 100:
# Loop until the active scan has finished
print('Records to active scan : ' + zap.ascan.status(scanID))
time.sleep(2)

print('Active Scan completed')

2/ In HTML reprot we see only below names:

Name Risk Level Number of Instances

1. Open Redirect High
2. Content Security Policy (CSP) Header Not Set
3. Missing Anti-clickjacking Header
4. Vulnerable JS Library
5. Application Error Disclosure
6. Cookie No HttpOnly Flag
7. Cookie Without Secure Flag
8. Cookie with SameSite Attribute None
9. Cookie without SameSite Attribute
10. Information Disclosure - Debug Error Messages
11. Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)
12. Server Leaks Version Information via "Server" HTTP Response Header Field
13. Strict-Transport-Security Header Not Set
14. Timestamp Disclosure - Unix
15. X-AspNet-Version Response Header
16. X-Content-Type-Options Header Missing
17. Authentication Request Identified Informational
18. Content-Type Header Missing Informational
19. Cookie Poisoning Informational
20. Information Disclosure - Sensitive Information in URL Informational
21. Information Disclosure - Suspicious Comments Informational
22. Loosely Scoped Cookie Informational
23. Modern Web Application Informational
24. Re-examine Cache-control Directives Informational
25. Retrieved from Cache Informational
26. Session Management Response Identified Informational
27. User Agent Fuzzer Informational
28. User Controllable HTML Element Attribute (Potential XSS)

Are we missing anything? Why XSS and SQL injections are not listed?

Thanks & Regards,

Sridatta

[psiinon]

Hi Sridatta,

Please ask this question in the ZAP User Group: https://groups.google.com/group/zaproxy-users

The Developer Group is for questions regarding ZAP development.

Cheers,

Simon

[Shamsudin MH]

Hi Sridatta,

  If you have chosen the Policy Manager with XSS and SQL Injection.But they are still not showing up...it means Your test application does not have these vulnerabilities. Try the Buggy URL, which contains XSS and SQL Injection. You can test the PetStore Buggy application. Hope this will help

Regards

Shamsudin  

--
For commerical ZAP support options see https://www.zaproxy.org/support/
ZAP is supported by the Crash Override Open Source Fellowship https://crashoverride.com/open-source?zap=dev
---
You received this message because you are subscribed to the Google Groups "ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/753d1715-8d71-4424-b1e5-3930a3584008n%40googlegroups.com.