I have SQL injection detected on my application but how can I know which query or codes are affected?

ZHEN XIAN LIM

unread,

May 3, 2023, 3:56:36 AM5/3/23

to OWASP ZAP User Group

Simon Bennetts

unread,

May 3, 2023, 4:18:23 AM5/3/23

to OWASP ZAP User Group

Have a look at the full alert details - it should give you lots of information.

Cheers,

Simon

ZHEN XIAN LIM

unread,

May 4, 2023, 8:31:43 PM5/4/23

to OWASP ZAP User Group

Hi Simon, I don't think the result shown here is detailed enough. I want to know which line or codes the zap attack, only so I knew which part I could change right?

Capture.PNG

Message has been deleted

ZHEN XIAN LIM

unread,

May 4, 2023, 10:22:30 PM5/4/23

to OWASP ZAP User Group

The whole detail is here, but from this. How am I suppose to know which code of my application is causing the zap to make alert of SQL injection?

Capture.PNG

Simon Bennetts

unread,

May 5, 2023, 4:44:04 AM5/5/23

to OWASP ZAP User Group

Dynamic Application Scanning Tools (DAST) like ZAP attack an application from the "outside".

DAST tools to not look at or understand source code.

For that you need to use a Static Application Scanning Tool (SAST).

DAST and SAST tools work in different ways are are complimentory - they both have diffrent strengths and weaknesses.

One of DASTs strengths is that it can be used to test apps written in any language - it is not technology specific. One of it's disadvantages is that because it does not understand source code it cannot tell you which lines of code to look at.