What is the default DB query syntax ZAP uses for SQL injection

17 views
Skip to first unread message

Partha S S

unread,
Jun 24, 2022, 1:49:09 AMJun 24
to OWASP ZAP User Group
Hi,

I have application with SQL server. I am getting critical error in reports. When I try to reproduce manually, It looks like the SQL injection script used uses Oracle DB. My Question is , In ZAP contexts, I have selected all checkboxes under technology > DB. Will ZAP try all DB queries when it tries SQL injection?

Thanks,
Partha

kingthorin+owaspzap

unread,
Jun 24, 2022, 2:58:56 PMJun 24
to OWASP ZAP User Group
Yes.

Partha S S

unread,
Jun 27, 2022, 3:09:23 AMJun 27
to OWASP ZAP User Group
In reports, its showing for  "Attack" field with value specific to Oracle DB, How to get it for MS SQL
Thanks

Simon Bennetts

unread,
Jun 27, 2022, 3:41:28 AMJun 27
to OWASP ZAP User Group
ZAP has multiple rules for detecting SQL injection vulnerabilities - search for "SQL" in the "alert" field on https://www.zaproxy.org/docs/alerts/
If any of the rules find a potential vulnerability then they will report it.
In this case it appears that it was the Oracle specific rule that found a potential problem, but that could be a False Positive.
If the MS SQL specific rule finds a potential problem then it will report the attack it uses.
They are independent rules, so there is no simple way to convert one attack to another.
Just run all of the rules, or use the Technology Flags to disable tests against dbs that you know are not in use.

Cheers,

Simon
Reply all
Reply to author
Forward
0 new messages