SQL Injection Discrepancy

77 views
Skip to first unread message

Sudheendra Singh

unread,
Dec 11, 2019, 9:44:54 AM12/11/19
to OWASP ZAP User Group
Hi,
 I have a sample code base which I run locally and I am able to get SQL injection flagged via the Desktop tool (2.8.0 version).

I also have a docker image of the same code base which I try to pen test using the zap live docker image and it doesn't seem to flag the SQL injections that the desktop tool has caught.

Is this a known issue? Is it something I need to configure. The config file that I use for my docker run is attached.

Cheers,
Sudhi
apimax.conf

Peter Hauschulz

unread,
Dec 11, 2019, 9:59:14 AM12/11/19
to OWASP ZAP User Group
What steps are you taking before running the active scan?

Sudheendra Singh

unread,
Dec 11, 2019, 11:21:57 AM12/11/19
to OWASP ZAP User Group
Below is the command I run after I have bound volume ${pwd}:/zap/wrk/:rw

docker run owasp/zap2docker-live zap-api-scan.py -P 8090 -t swagger.yml -f openapi -c apimax.conf -d -a

Attached is my swagger file and the conf file.

Is there something I am missing? I guess that if I can configure a policy file then it could work.
apimax.conf
swagger.yml

Peter Hauschulz

unread,
Dec 12, 2019, 6:33:05 AM12/12/19
to OWASP ZAP User Group
And what steps do you perform before you run the active scan in the GUI?

kingthorin+owaspzap

unread,
Dec 12, 2019, 6:35:48 AM12/12/19
to OWASP ZAP User Group
1) Make sure your configs are the same.
2) Make sure your exploring/proxying the same content/functionality.
3) Make sure you have the same addons installed (in particular the scan rule addons)

Sudheendra Singh

unread,
Dec 12, 2019, 12:38:44 PM12/12/19
to zaprox...@googlegroups.com
Hi,
   In case of docker image how do I install addon? Is it via -z option? Please could you send an example of how to do it on command prompt.

Cheers,
Sudhi

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/6a08c122-4881-4e37-933b-5a622e6ec0d7%40googlegroups.com.


--
Regards,
Sudheendra.N.Singh
07872067281

kingthorin+owaspzap

unread,
Dec 12, 2019, 3:41:33 PM12/12/19
to OWASP ZAP User Group
https://github.com/zaproxy/zap-core-help/wiki/HelpCmdline

Sudheendra Singh

unread,
Dec 18, 2019, 10:22:05 AM12/18/19
to zaprox...@googlegroups.com
Hi,
   I need to pass addoninstall's to zap-api-scan.py. I have already configures a policy and conf file to set max rules. Lastly I want to include ascanrules, pscanrules and bruteforce. This will ensure my API is thoroughly tested. 


On Thu, 12 Dec 2019 at 20:41, kingthorin+owaspzap <kingt...@gmail.com> wrote:
https://github.com/zaproxy/zap-core-help/wiki/HelpCmdline


--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/8b5c7811-2a81-4946-a7b9-faad2c0dc088%40googlegroups.com.


--
Regards,
Sudheendra.N.Singh
07872067281
Reply all
Reply to author
Forward
0 new messages