Advanced SQL Injection - AND boolean-based blind - WHERE or HAVING clause

137 views
Skip to first unread message

Ravindra Bandi

unread,
Dec 5, 2023, 5:25:18 AM12/5/23
to ZAP User Group
Hi Team,

We have used ZAP v2.11 and lower and performed manual security scan in our entire application. During manual security scan, ZAP has reported below alert in many of the modules (api calls) where in we started investigating one by one during recent months.  ZAP version in our environment is then upgraded to 2.12 and then to 2.14 recently believing that, all the reported alerts still appear when scan is done with latest version also.
  • Advanced SQL Injection - AND boolean-based blind - WHERE or HAVING clause

Using ZAP v2.14, I have included Advanced SQL injection from Marketplace and performed manual security scan on some of the modules on which above SQL injection vulnerability was reported. Unfortunately, this alert is not appearing in both v2.12 and v2.14 versions of ZAP. 

Infact, ZAP (lower than v2.12) has reported some vulnerabilities under below alerts during our manual security scan
  • Advanced SQL Injection - AND boolean-based blind - WHERE or HAVING clause
  • Advanced SQL Injection - AND boolean-based blind - WHERE or HAVING clause (Generic comment)
  • Advanced SQL Injection - Microsoft SQL Server/Sybase stacked queries (comment)
  • Advanced SQL Injection - Microsoft SQL Server/Sybase time-based blind
  • SQL Injection
  • SQL Injection – MsSQL
 
Can someone please share some response on below questions?
1. Whether this specific alert (highlighted in RED) is removed? 
2. Any information on why its removed and the list of removed alerts?
3. ZAP is not finding any SQL injection vulnerabilities even after downloading all injection related entries from marketplace. Is there any existing problem in tool?

Regards,
RB



Simon Bennetts

unread,
Dec 5, 2023, 5:27:42 AM12/5/23
to ZAP User Group
Hi RB,

Have you checked to see if the SQL vulnerabilities reported were real vulnerabilities or false positives?
The ZAP scan rules are continually improved so if these were false positives then theres a good chance that the rules have been improved.

Cheers,

Simon

Ravindra Bandi

unread,
Dec 5, 2023, 6:59:40 AM12/5/23
to ZAP User Group
Hi Simon, 

Few instances in our list are appear to be false positives but we are investigating all of them. Meantime, the zap is upgraded and scan results are not capturing any of the alerts. Is it possible to share some information whether any of the below are removed
  • Advanced SQL Injection - AND boolean-based blind - WHERE or HAVING clause
  • Advanced SQL Injection - AND boolean-based blind - WHERE or HAVING clause (Generic comment)
  • Advanced SQL Injection - Microsoft SQL Server/Sybase stacked queries (comment)
  • Advanced SQL Injection - Microsoft SQL Server/Sybase time-based blind 

Reply all
Reply to author
Forward
0 new messages