In the Zap Api Scan config - what do these mean?
111 views
Skip to first unread message
Paul Robertson
Jun 21, 2019, 4:17:07 AM6/21/19
to OWASP ZAP User Group
The following block of config pertains to sql scans.
40018 WARN (SQL Injection - Active/release)
40019 WARN (SQL Injection - MySQL - Active/beta)
40020 WARN (SQL Injection - Hypersonic SQL - Active/beta)
40021 WARN (SQL Injection - Oracle - Active/beta)
40022 WARN (SQL Injection - PostgreSQL - Active/beta)
What does SQL Injection - Active/release mean?
I also am not sure what these mean:
50000 IGNORE (Script Active Scan Rules - Active/release)
50001 IGNORE (Script Passive Scan Rules - Passive/release)
Thank you
Simon Bennetts
Jun 21, 2019, 4:22:30 AM6/21/19
to OWASP ZAP User Group
On Friday, 21 June 2019 09:17:07 UTC+1, Paul Robertson wrote:
The following block of config pertains to sql scans.40018 WARN (SQL Injection - Active/release)40019 WARN (SQL Injection - MySQL - Active/beta)40020 WARN (SQL Injection - Hypersonic SQL - Active/beta)40021 WARN (SQL Injection - Oracle - Active/beta)40022 WARN (SQL Injection - PostgreSQL - Active/beta)What does SQL Injection - Active/release mean?
"SQL Injection" is the name of the scan rule
"Active" means that its an active rule, as opposed to a passive one
"release" means that its a release quality rule, as opposed to a beta or alpha quality one.
I also am not sure what these mean:50000 IGNORE (Script Active Scan Rules - Active/release)50001 IGNORE (Script Passive Scan Rules - Passive/release)
These 2 identifiers are used for scan rule scripts, so all scan rules defined as scripts will have the same identifier.
Thats actually a bit limiting, so we do plan to allow script scan rules to have their own unique identifiers in the future.
Cheers,
Simon
Thank you
Paul Robertson
Jun 21, 2019, 8:24:19 AM6/21/19
to OWASP ZAP User Group
Thank you Simon.
So would "SQL Injection - Active/release mean" be generic sql injection tests? I notice there is not a MSSQL scan rule, perhaps these would be included in this rule?
Simon Bennetts
Jun 21, 2019, 8:30:02 AM6/21/19
to OWASP ZAP User Group
Thats right.
Some more details are given in the help which is included with ZAP and also available here: https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules#sql-injection
The help for the beta active scan rules is here: https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta#sql-injection---hypersonic-time-based
Reply all
Reply to author
Forward
0 new messages