SQL Injection attacks not running - request fields wrapped in data object

Patrick Morph

unread,

Apr 18, 2025, 7:16:25 AM4/18/25

to ZAP User Group

I'm trying to write a python script to run in Github Actions to ZAP scan my API. This seems to be working for passive scans, but its not running attacks such as the SQL Injection attacks. I think this is because my fields it should be inject in are wrapped in a "data" object and ZAP attack can't inject into an object and doesn't know to go a step deeper to find they key:values contianed in "data" object.

How can I solve this? I have seeded my attacks and spidered with the format expected by my API. I cannot change away from the "data" object wrapper as this is how my API consumes request payloads. But I need to somehow tell ZAP to do this?

It is possible that the issue of SQL Injection attacks may be unrelated to this, but I think it is the issue.

Thanks,
Patrick

Patrick Morph

unread,

Apr 18, 2025, 10:47:58 AM4/18/25

to ZAP User Group

I found the answer

You have to call this

    zap.ascan.set_option_target_params_enabled_rpc(True)
    zap.ascan.set_option_target_params_injectable(8 + 16)

8 tells it to inject into post data and 16 tells it to inject into json

Simon Bennetts

unread,

Apr 30, 2025, 10:08:47 AM4/30/25

to ZAP User Group

Thanks for the update!

Reply all

Reply to author

Forward