OWASP 2.4.0 not detecting Sql injection on DVWA

[Alice van Rensburg]

Hiya - have followed steps as per video https://www.youtube.com/watch?v=dqKGGCVFTvI  ZAP Tutorial A1: Injection

but have been unable to get any serious alerts from ZAP 2.3.1 or 2.4.0.

Am I missing some vital installation/setup instructions?

Regards

Alice

[Alice van Rensburg]

On Saturday, June 6, 2015 at 5:06:32 PM UTC+2, Alice van Rensburg wrote:

    (First viewed ZAP and authentication video - thought that auth setup might be my problem)

    Logged on to DVWA - Set security to low, executed command execution, Sql injection, Sql injection (blind)

Followed steps in https://groups.google.com/forum/#!topic/zaproxy-users/hF4PAwgeoOk .

    Setup context  with Authentication = Form-based Authentication (with Login form target URL, Login  Request Post Data, Parameters and Regex pattern for Logged in)

    Session Management = Cookie-based

    Users setup - admin

    Enabled Session Tracking

    Run Spider Context

    Run Scan

    Still finds absolutely no Sql injection, finds XSS (Reflected).

    Using  ZAP 2.3.1 (have also tried 2.4.0 - same thing)

Must be doing something wrong - just no idea what.

   

  

[Alice van Rensburg]

  Interesting - finally managed to get Sql Injection alerts - did not change anything except created a new Http session.

         Noticed ZAP getting a lot of authentication messages in console, created a new Http session and then it worked.

         Confused - sure am doing something wrong, should be consistent as shown on videos.

         Anybody know where I can get a step by step?