ZAP not able detect sql injection

614 views
Skip to first unread message

Vighneshbalaji M

unread,
Jun 3, 2021, 6:29:21 AM6/3/21
to OWASP ZAP User Group
Hi team,

My application has sql injection vulnerable but when tried to detect using zap it was not working properly.

Could someone please help why it is not detected, what would be the evidence for sql injection?


image (2).png
image.png
image (1).png

psiinon

unread,
Jun 3, 2021, 6:37:17 AM6/3/21
to zaprox...@googlegroups.com
Difficult for us to tell unless we know more about how you application works.
Which scan rules have you used?
If you've just used the release ones then try the beta ones as well.

Cheers,

Simon

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/c42a3a3a-8d3c-4899-b391-ee0ed8e9b856n%40googlegroups.com.


--
OWASP ZAP Project leader

Vighneshbalaji M

unread,
Jun 3, 2021, 6:54:18 AM6/3/21
to OWASP ZAP User Group
It just simple application which take userid and display the user information. In the backed I've used simple sql statement.

I've used active scan rules.

Screenshot from 2021-06-03 16-21-31.pngScreenshot from 2021-06-03 16-23-00.pngScreenshot from 2021-06-03 16-23-58.png

Simon Bennetts

unread,
Jun 3, 2021, 7:23:07 AM6/3/21
to OWASP ZAP User Group
Try using the beta active scan rules, if you havnt already: https://www.zaproxy.org/docs/desktop/addons/active-scan-rules-beta/

Vighneshbalaji M

unread,
Jun 3, 2021, 8:05:23 AM6/3/21
to OWASP ZAP User Group
Have tried beta active scan rules, not working

Simon Bennetts

unread,
Jun 3, 2021, 8:22:37 AM6/3/21
to OWASP ZAP User Group
OK, do you have a valid attack and associated output?

Vighneshbalaji M

unread,
Jun 3, 2021, 8:22:47 AM6/3/21
to OWASP ZAP User Group
Please refer this request, response and status code for the scan.

Screenshot from 2021-06-03 17-49-59.png
Screenshot from 2021-06-03 17-50-32.pngScreenshot from 2021-06-03 17-50-49.png

Vighneshbalaji M

unread,
Jun 4, 2021, 12:58:02 AM6/4/21
to OWASP ZAP User Group
Any update?

Simon Bennetts

unread,
Jun 4, 2021, 4:21:06 AM6/4/21
to OWASP ZAP User Group
It does look like a false negative, so could you raise a new issue for it?
A simple way to reproduce the problem would definitely help.

Many thanks,

Simon

Vighneshbalaji M

unread,
Jun 4, 2021, 5:48:25 AM6/4/21
to OWASP ZAP User Group
Done.

Simon Bennetts

unread,
Jun 4, 2021, 6:22:25 AM6/4/21
to OWASP ZAP User Group
Many thanks!

kingthorin+owaspzap

unread,
Jun 4, 2021, 10:34:19 AM6/4/21
to OWASP ZAP User Group
Note I've only spent like 2mins or less reading this thread: Maybe I haven't put enough thought into this or looked at it closely enough, but is that really an SQLi vuln if it's just reflecting back part of the user input?

kingthorin+owaspzap

unread,
Jun 4, 2021, 10:36:49 AM6/4/21
to OWASP ZAP User Group
Disregard, I see it now.

The result set contained nothing until you unioned it.

Vighneshbalaji M

unread,
Jun 7, 2021, 1:42:48 AM6/7/21
to OWASP ZAP User Group
It has sqli vulnerable, you can look this code snippet. where vulnerable can be possible. Line 5 has sql stmt where user_id appended. using this we can have sqli vulnerable.
Screenshot from 2021-06-07 11-10-58.png

Vighneshbalaji M

unread,
Jun 7, 2021, 1:43:48 AM6/7/21
to OWASP ZAP User Group
which result set you're talking about. Could you explain in detail?

Cleber Lopes

unread,
Oct 30, 2023, 10:32:41 AM10/30/23
to ZAP User Group
Were you able to fix this issue?
Reply all
Reply to author
Forward
0 new messages