ZAP not Capturing SQL Injection Vulnerabilities

[Ravindra Bandi]

Hi Team, 

I was able to capture SQL injections using ZAP v2.9 through manual security scan. Where as the ZAP v2.14 is not able to capture SQL injection in the same web application. Do we have any work around for this. 

Regards,

RB

[Simon Bennetts]

Hiya,

High threshold may not mean what you think it does :)

https://www.zaproxy.org/docs/desktop/ui/dialogs/options/pscanrules/#threshold

Setting a High threshold means ZAP is LESS likely to report potential issues.

Try setting it to Medium or Low and try again.

Cheers,

Simon

[Ravindra Bandi]

Hi Simon,

The application I am scanning is a POC app, and is vulnerable to SQL injection. My understanding is the application is vulnerable to SQL injection. High threshold Is expected give some real SQL injection issues. Could you please correct me if there is some misunderstanding.

If Low threshold only gives SQL injection issues, we need to correct our zap scan policy for desktop and automation solution also.

Technical details: 

 I am directly passing User input to sql query to check ZAP results. Below is the query that works correctly

SqlCommand cmd = new SqlCommand("insert into TEMP_PRO_SQL_INJECTION values ('" + txtUserName.Text + "','" + txtLocation.Text + "')", sqlConnection);

Regards,

RB

[Simon Bennetts]

Try Low and Medium thresholds and see if they work.

We know nothing about your web app and so cannot tell you if we would expect ZAP to find the SQL vulnerability or not.

But Medium is the default for a reason - its the level that we think is most suitable for most apps.

Have you confimed that ZAP has found and tested the relevant functionality?

Cheers,,

Simon