My application is using mysql database but why it detected sql injection

ZHEN XIAN LIM

unread,

May 5, 2023, 2:56:08 AM5/5/23

to OWASP ZAP User Group

Why sqlite injection can happened in my application when the database I used is mysql only?

Simon Bennetts

unread,

May 5, 2023, 4:25:11 AM5/5/23

to OWASP ZAP User Group

ZAP does not know what database you are using. By default it will attempt to attack all dbs.

If it finds a vulnerability in a db other than the one you are using then either:

The attack just happens to work for both dbs
Its a false positive

We have a FAQ for handling false positives: https://www.zaproxy.org/faq/how-do-i-handle-a-false-positive/

You can also tell ZAP which technology your app is using via a Context: https://www.zaproxy.org/docs/desktop/ui/dialogs/session/contexts/#technology

This is strongy recommended - it will both speed up your scan time and potentially reduce false positives.

Cheers,

Simon

ZHEN XIAN LIM

unread,

May 17, 2023, 4:55:28 AM5/17/23

to OWASP ZAP User Group

Sorry to disturb you again on this question. May I know how do I know if the attack just happens to work for both dbs? Can you teach me how to I deal with this question? Feel free to ask me if you need any extra information?

Reply all

Reply to author

Forward

My application is using mysql database but why it detected sql injection - SQLite?

ZHEN XIAN LIM

Simon Bennetts

ZHEN XIAN LIM