What is the default DB query syntax ZAP uses for SQL injection

Partha S S

unread,

Jun 24, 2022, 1:49:09 AMJun 24

to OWASP ZAP User Group

Hi,

I have application with SQL server. I am getting critical error in reports. When I try to reproduce manually, It looks like the SQL injection script used uses Oracle DB. My Question is , In ZAP contexts, I have selected all checkboxes under technology > DB. Will ZAP try all DB queries when it tries SQL injection?

Thanks,

Partha

kingthorin+owaspzap

unread,

Jun 24, 2022, 2:58:56 PMJun 24

to OWASP ZAP User Group

Yes.

Partha S S

unread,

Jun 27, 2022, 3:09:23 AMJun 27

to OWASP ZAP User Group

In reports, its showing for "Attack" field with value specific to Oracle DB, How to get it for MS SQL

Thanks

Simon Bennetts

unread,

Jun 27, 2022, 3:41:28 AMJun 27

to OWASP ZAP User Group

ZAP has multiple rules for detecting SQL injection vulnerabilities - search for "SQL" in the "alert" field on https://www.zaproxy.org/docs/alerts/

If any of the rules find a potential vulnerability then they will report it.

In this case it appears that it was the Oracle specific rule that found a potential problem, but that could be a False Positive.

If the MS SQL specific rule finds a potential problem then it will report the attack it uses.

They are independent rules, so there is no simple way to convert one attack to another.

Just run all of the rules, or use the Technology Flags to disable tests against dbs that you know are not in use.