ZAP 2.4.3 vs Wavsep 1.5 : some SQLI not detected
66 views
Skip to first unread message
Laurent Jubeau
Dec 17, 2015, 4:54:14 AM12/17/15
to OWASP ZAP User Group
Hello
New french Zap user here ! (also new in security stuff :) )
I'm runnning ZAP 2.4.3 vs Wavsep 1.5 on my PC with a custom SQLI only strategy
I run multiple scan and never get the same number of Alerts :
Injection SQL - MySQL(X) with X = 84 or 86
Injection SQL (Y) with Y between 30 and 49
and for some Wavsep url, i didnt get any alert :
Case04-InjectionInUpdate-Numeric-TimeDelayExploit-200Identical.jsp
Case05-InjectionInUpdate-String-TimeDelayExploit-200Identical.jsp
Case09-InjectionInUpdate-Numeric-CommandInjection-WithDifferent200Responses.jsp
....
(Total 24 .jsp)
Is there a special configuration for ZAP scanner to detect all WAVSEP SQLI security flaw ? Any idee of what i could do wrong ?
And do you know how to generate this kind of report : http://zapbot.github.io/zap-mgmt-scripts/reports/wavsep-1.5-weekly-RB-H-M.html ?
Thank you guys !
New french Zap user here ! (also new in security stuff :) )
I'm runnning ZAP 2.4.3 vs Wavsep 1.5 on my PC with a custom SQLI only strategy
I run multiple scan and never get the same number of Alerts :
Injection SQL - MySQL(X) with X = 84 or 86
Injection SQL (Y) with Y between 30 and 49
and for some Wavsep url, i didnt get any alert :
Case04-InjectionInUpdate-Numeric-TimeDelayExploit-200Identical.jsp
Case05-InjectionInUpdate-String-TimeDelayExploit-200Identical.jsp
Case09-InjectionInUpdate-Numeric-CommandInjection-WithDifferent200Responses.jsp
....
(Total 24 .jsp)
Is there a special configuration for ZAP scanner to detect all WAVSEP SQLI security flaw ? Any idee of what i could do wrong ?
And do you know how to generate this kind of report : http://zapbot.github.io/zap-mgmt-scripts/reports/wavsep-1.5-weekly-RB-H-M.html ?
Thank you guys !
Simon Bennetts
Dec 17, 2015, 6:26:48 AM12/17/15
to OWASP ZAP User Group
Bonjour Laurent :)
That report was generated by this script: https://github.com/zapbot/zap-mgmt-scripts/blob/master/wavsep/zap-weekly-vs-wavsep-1.5-RB-H-M.sh
But I'm in the middle of rationalising the scripts, so that may disappear soon :/
The important points to note are:
That report was generated by this script: https://github.com/zapbot/zap-mgmt-scripts/blob/master/wavsep/zap-weekly-vs-wavsep-1.5-RB-H-M.sh
But I'm in the middle of rationalising the scripts, so that may disappear soon :/
The important points to note are:
- Its generated using the weekly version of ZAP (although right now 2.4.3 will probably give the same results)
- It uses both the Release and Beta scan rules as these are included with the weekly release - full releases dont include Beta rules, although obviously you can install them from the marketplace
- The beta rules include more rules specifically aimed at SQLi detection: https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta
- It uses High Strength, which means it will perform more tests than the default (and will therefore take longer)
FYI I will be blogging about all of the ZAP tests that zapbot runs using Docker, I just need to finish tidying all of the scripts up first ;)
I want to make sure that anyone can easily reproduce them, and also hopefully help us improve the ZAP scan rules and as a side effect improve the scores.
Cheers,
Simon
Laurent Jubeau
Dec 17, 2015, 8:34:28 AM12/17/15
to OWASP ZAP User Group
Currently I cant install addon from the marketplace : Add-ons list is empty when i click on "Check for updates" button
In think it's because im behind an Entreprise Proxy (regulate internet traffic)
Will try to bypass it
Thank you for your quick reply Simon !
In think it's because im behind an Entreprise Proxy (regulate internet traffic)
Will try to bypass it
Thank you for your quick reply Simon !
Simon Bennetts
Dec 17, 2015, 8:39:46 AM12/17/15
to OWASP ZAP User Group
Have you added your Enterprise Proxy as the outgoing proxy in the Options / Connection screen?
Hopefully that should do the trick :)
Alternatively you can download add-ons manually from https://github.com/zaproxy/zap-extensions/releases and add them via the ZAP File / Load Add-on File... menu
Cheers,
Simon
Hopefully that should do the trick :)
Alternatively you can download add-ons manually from https://github.com/zaproxy/zap-extensions/releases and add them via the ZAP File / Load Add-on File... menu
Cheers,
Simon
Laurent Jubeau
Dec 17, 2015, 9:01:26 AM12/17/15
to OWASP ZAP User Group
Options / Connection screen => Search for it and didnt see it !!! Too tired :)
Should definitly work but i have already get ascanrulesBeta-beta-18.zap from another PC and put in Users\ljubeau\OWASP ZAP\plugin and that works !
Thanks and keep going your great work Simon !!
Should definitly work but i have already get ascanrulesBeta-beta-18.zap from another PC and put in Users\ljubeau\OWASP ZAP\plugin and that works !
Thanks and keep going your great work Simon !!
Reply all
Reply to author
Forward
0 new messages