SQL injection may be possible. False positive ?
1,581 views
Skip to first unread message
Patrick Mary
Apr 1, 2015, 4:18:27 PM4/1/15
to zaprox...@googlegroups.com
Hi,
I am using ZAP (version 2.3.1) for several website our team had develop in ASPX with the CMS kentico 8
And we get stunned when ZAP told us this error in several page :
SQL injection may be possible
The page results were successfully manipulated using the boolean conditions [A5343185' AND '1'='1' -- ] and [A5343185' OR '1'='1' -- ]
The parameter value being modified was NOT stripped from the HTML output for the purposes of the comparison
Data was NOT returned for the original parameter.
The vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter.
------
Our team think that those errors are false positive because we are using the CMS API for our SQL statement.
So my question is, does anyone had that kind of message using ZAP ? Could them be false positive alert ?
kingthorin+owaspzap
Apr 1, 2015, 9:43:47 PM4/1/15
to zaprox...@googlegroups.com
It could be a false positive. You'd have to compare the base request vs the two test responses.
You might also want to review:
https://docs.kentico.com/display/K8/SQL+injection
You might also want to review:
https://docs.kentico.com/display/K8/SQL+injection
wade.sc...@gmail.com
Mar 25, 2016, 10:34:02 AM3/25/16
to OWASP ZAP User Group
We are having the same issue. Could someone point to directions on how to "compare the base request vs the two test responses"?
wade.sc...@gmail.com
Mar 25, 2016, 10:38:04 AM3/25/16
to OWASP ZAP User Group
Also, after a scan has run and I load the session there doesn't seem to be a way to recover the original messages. Example, I select one of the SQL injection alerts, right click and pick "Show in History Tab" which brings up an empty dialog. Ideally, what I would like to see is a "diff" of the "good" and the "bad" response (the latter being in response to an attempted injection).
thc...@gmail.com
Mar 25, 2016, 11:50:08 AM3/25/16
to zaprox...@googlegroups.com
Hi.
> Example, I select one of the SQL injection alerts, right click and pick "Show in History Tab" which brings up an empty dialog.
Yes, the message is not available in the history tab but it is
automatically shown in the Request/Response tabs when the alert is selected.
(It's also available through the ZAP API.)
> Ideally, what I would like to see is a "diff" of the "good" and the "bad" response (the latter being in response to an attempted injection).
Would you mind raising an issue? [1]
[1] https://github.com/zaproxy/zaproxy/issues/new
Best regards.
> <https://docs.kentico.com/display/K8/SQL+injection>
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.
> Example, I select one of the SQL injection alerts, right click and pick "Show in History Tab" which brings up an empty dialog.
automatically shown in the Request/Response tabs when the alert is selected.
(It's also available through the ZAP API.)
> Ideally, what I would like to see is a "diff" of the "good" and the "bad" response (the latter being in response to an attempted injection).
[1] https://github.com/zaproxy/zaproxy/issues/new
Best regards.
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.
thc...@gmail.com
Mar 25, 2016, 11:53:28 AM3/25/16
to zaprox...@googlegroups.com
The alert should indicate which parameter has the problem and the "other
info" the values that were sent during the test and the reason why the
issue was raised.
You would have to manually send the two(?) requests and then compare the
responses.
Best regards.
info" the values that were sent during the test and the reason why the
issue was raised.
You would have to manually send the two(?) requests and then compare the
responses.
Best regards.
Reply all
Reply to author
Forward
0 new messages