ZAP and SQL Injection - Potential Issue
1,380 views
Skip to first unread message
ryerson...@gmail.com
Dec 10, 2015, 1:59:42 PM12/10/15
to OWASP ZAP User Group
So every issue that ZAP has found under SQL injection seems to be time based by trying to inject some form of sleep with a timer of 5 seconds.
To me this is NOT a very useful test, especially considering that there might be some lag with network traffic. Is there any way to change the test to
SQL Injection - Hypersonic SQL - Time Based
SQL Injection - MySQL
SQL Injection - Oracle - Time Based
SQL Injection - PostgreSQL - Time Based
Even those that don't specifically list "Time Based", only try to do sleep (5)'s. I have my thresh hold set to medium and my strength to medium.
- Preferably, do something other than a sleep, try to retrieve actual data or
- Have a much longer sleep, such as 20 seconds.
---
Similarly, do i just copy paste the attack into the form field on the browser to manually test when pressing submit or do i need to somehow modify the actual post request?
---
Re-sending the request to check doesn't perform authentication, isn't this an issue when trying to double check some issues that were found?
Sarmad Butt
Dec 11, 2015, 1:10:45 AM12/11/15
to OWASP ZAP User Group
I am also having same issue, only SQL injections pointed out by ZAP are time base. and when i copy those attacks and enters in the said field nothing happens application responds and work properly.
ryerson...@gmail.com
Dec 15, 2015, 12:26:58 PM12/15/15
to OWASP ZAP User Group
Anyone able to comment on this?
Simon Bennetts
Dec 15, 2015, 12:36:30 PM12/15/15
to OWASP ZAP User Group
Yes, sorry - been on my todo list ;)
You're quite right about this problem, and we have a proposed solution.
The plan is to introduce 'rule level' configurations for things like this.
So we would have key/value pairs like timeout.default=5 which all rules which use time based attacks should change to use.
We would then allow the user to change these via the UI, command line and API.
Ideally I think we should also have another pair like timeout.validate=20 which all rules use to sanity check that the problem is real and not just a slow network issue.
We also should have some way of categorising rules that use timing checks so that users can easily disable them if they want to, eg to speed up a scan.
Any feedback on these proposals much appreciated.
Cheers,
Simon
You're quite right about this problem, and we have a proposed solution.
The plan is to introduce 'rule level' configurations for things like this.
So we would have key/value pairs like timeout.default=5 which all rules which use time based attacks should change to use.
We would then allow the user to change these via the UI, command line and API.
Ideally I think we should also have another pair like timeout.validate=20 which all rules use to sanity check that the problem is real and not just a slow network issue.
We also should have some way of categorising rules that use timing checks so that users can easily disable them if they want to, eg to speed up a scan.
Any feedback on these proposals much appreciated.
Cheers,
Simon
ryerson...@gmail.com
Dec 15, 2015, 12:53:43 PM12/15/15
to OWASP ZAP User Group
Thank you for the reply! Only feedback i can suggest is that there are some injection attack's that aren't time based, as far as i can tell it always tries to sleep. If instead it tried to select a list or tables from the database that would be great.
kingthorin+owaspzap
Dec 15, 2015, 2:17:01 PM12/15/15
to OWASP ZAP User Group
Time based attacks are generally used for blind variants (Blind SQLi, Blind Command Injection, etc), so selecting a list of tables isn't an applicable test.
ryerson...@gmail.com
Dec 16, 2015, 12:31:53 PM12/16/15
to OWASP ZAP User Group
To give you more ideas of the bugs i found with SQL; here is the situation that i found.
What happens now is that the choiceid is stored as a session parameter (no sensitization), after which an SQL select query is uses that variable directly to retrieve information. There is nothing to check that this value is an integer, that it doesn't contain escape characters. I have manually confirmed to be able to modify the url to retrieve database data and obtain data related to a differed choiceid other than 90.
ZAP finds this in another manner, same but different but still same but still different (if you get the reference [1], a little light humor), back on track, so ZAP finds it as a Cross Site Scripting (Reflected) because it tries to inject javascript into the statement.
I am glad that it found this (required me going to intense difficulty) but i am wondering why it didn't find the ONE intentional SQL Injection Oracle I left for it. If you have any questions, please feel free and i will try to clarify anything i can!
Rajesh Bhadana
Sep 19, 2016, 1:39:53 AM9/19/16
to OWASP ZAP User Group
Anyone have any idea , How to fix these issue Reported by ZAP
SQL Injection - Oracle - Time Based
Remote OS Command Injection
SQL Injection - PostgreSQL - Time Based
SQL Injection - MySQL - Time based.
Please share any information related to How these should be fix.
Thanks
Simon Bennetts
Sep 19, 2016, 7:36:56 AM9/19/16
to OWASP ZAP User Group
First of all you need to work out if they are real issues or false positives.
Try to reproduce the results manually and while doing that increase the number of seconds to see if the time the response increases accordingly.
The weekly ZAP release supports Rule Configurations and these allow you to increase the time used for timing attacks for all rules: https://groups.google.com/d/msg/zaproxy-develop/y-IJDZG5skk/hfS42b_VBAAJ so you could try that if you have problems reproducing them manually.
Cheers,
Simon
Try to reproduce the results manually and while doing that increase the number of seconds to see if the time the response increases accordingly.
The weekly ZAP release supports Rule Configurations and these allow you to increase the time used for timing attacks for all rules: https://groups.google.com/d/msg/zaproxy-develop/y-IJDZG5skk/hfS42b_VBAAJ so you could try that if you have problems reproducing them manually.
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages