How does the "Advanced SQL Injection - AND boolean-based blind - WHERE or HAVING clause" check work?

[Ian]

Does it make sense for this check to trigger for 404 Not Found responses?

The SQLi:

_gid=GA1.5.158238594.1549927061) AND 9281=9281 AND (1334=1334

_gid is used by google analytics, not our web app, and the url that this was attempted on will 404's without any SQLi

Where is the source file for this:  (90018 - Advanced SQL Injection) ?  I tried grepping in zaproxy and zap-extensions but couldn't find it.

[kingthorin+owaspzap]

Well since it a blind check yes it shoukd apply to any response and likely depends on said differences.

Source code: https://github.com/zaproxy/zap-extensions/tree/beta/src/org/zaproxy/zap/extension/sqliplugin

[Ian]

Is there a way to reveal the before/after that this plugin is comparing? AFAIK, the only response is the 404 from the server -- this happens with or without the SQLi and should be identical. I'm not in front of the alert ATM, but I don't think it spelled out a difference in the time it took to return the differing responses, so I'm assuming it was doing some type of page content match.

I can see where it specifies the payload when looking at the alert, and I can see the payload in the request tab, but nothing is highlighted in the response tab.

[hauschu...@gmail.com]

Good question! 

I'm not aware of a way to double check what the plugin saw (but that's not my area anyway), so I would probably just right-click on the alerted request and resend it with and without the payload. Do a little exploratory manipulation (or even a small fuzzing library) on it, and look for any notable deviations in page response content, response time, etc. 

[Ian]

Thanks for that suggestion!

I was able to get our server to return a slightly different result after hammering it with requests enough times.  There was something monitoring the execute time of something and would sometimes return a 1 instead of a 0 in the output.  This had nothing to do with the sqli attack itself.

This can't be a unique thing for us -- how would you guys normally handle situations where the page won't always return something static?  Is there a way to specify a regex on a page for the areas to ignore?  Or should I create a feature request at github asking for diff output when a diff is done by a plugin?

[Ian]

Looks like removing the dynamic stuff from the page still hasn't made this FP go away... can someone check my methodology here?

I'm still getting these even when there are ZERO differences in output now.   I wrote this script to verify what was found by ZAP:

#!/bin/bash

curl --silent --data-binary @NORMAL https://redacted.com -o temp.txt
SUM=`shasum temp.txt|cut -d' ' -f1`

SUM2=$SUM
while [ $SUM = $SUM2 ]; do
   sleep 1
   curl --silent --data-binary @SQLi https://redacted.com -o temp2.txt
   SUM2=`shasum temp2.txt|cut -d' ' -f1`
   echo "."
done
diff temp.txt temp2.txt

SQLi contains a duplicate of what's in the Zap REQUEST tab.  NORMAL contains the same thing, but without the SQL part.  The script should return with a diff of the two outputs.  I assume this is what the SQL plugin is doing?

This script found situations in the past where we would return different results -- we used to have debug code returning time to execute, but this has been removed.  My script never ends now -- this means the output is always identical.

sqlmap on that same url using the same NORMAL request doesn't return any positives -- it also complains about getting a 404 and still wanting to continue...  

One last thing -- if I copy and paste from the Response tab in Zap to compare against what curl is returning, I am seeing odd differences.  The Response tab has a tab instead of spaces for one line of output, and a uses • instead of a bullet: • for another.  Is it normal for the response tab to contain mangled information, or is curl doing this?

[Ian]

No thoughts?  I was hoping for some further suggestions that could give me further insight into what's going on.

1) Can the OWASP Zap Response tab ever contain output that is altered from the source?  (Highlighting aside)

If I want to breakpoint into the plugin, I assume I should follow these docs to get set up?

https://github.com/zaproxy/zaproxy/wiki/Setting-up-and-developing-new-plugins

[hauschu...@gmail.com]

As far as I know (aka, not very!), there is some slight formatting that goes on in the ZAP response body. That is, what you are seeing is accurate, but either in the rendering process or maybe during the act of copying one (not sure...guessing here) it appears there are some differences. My small experience with that is in doing some Hex evaluations, the displayed Hex response was accurate, but if I tried to copy/paste/export somehow that content it would end up being different so I had to use the raw hex response captured by fiddler for my diff tests instead. 

That being said, it's only ever appeared like formatting/display/rendering convention to me and I've never gotten the impression that it was affecting any alert/tests or in any way untrustworthy. 

If you could include a screenshot comparing your curl and zap response body that would probably help determine if that's something worth looking into or not (before or after copying). 

As for your other question, that looks correct for a starting point!

https://groups.google.com/forum/#!forum/zaproxy-develop

[Ian]

Okay, I made some headway and managed to compile and run Zap through Eclipse, however that had brought up three additional questions

1) The number of plugins from zap-extensions doesn't match what comes with the weekly releases. There are far more plugins with the weekly release.  Are plugins not compiling because I may not have certain dependencies, or are some plugins only available through the marketplace?

2) Which plugins allow me to start Firefox with all the security disabled?

3) If the plugins are separately compiled and are available as zap files to zap, am I able to step debug these when starting Zap from Eclipse, or do I need to somehow run these plugins directly outside of Zap?

[thc...@gmail.com]

Hi.

Answers inline but consider using the develop group for dev question.

On 19/03/2019 16:58, Ian wrote:
> Okay, I made some headway and managed to compile and run Zap through
> Eclipse, however that had brought up three additional questions
>
> 1) The number of plugins from zap-extensions doesn't match what comes with
> the weekly releases. There are far more plugins with the weekly release.
> Are plugins not compiling because I may not have certain dependencies, or
> are some plugins only available through the marketplace?

The zaproxy repo does not have any add-on (it might pick some from the
dev home though), you need to build them (the add-ons are in
zap-extensions repo, master, beta, and alpha branches) or install from
marketplace.

> 2) Which plugins allow me to start Firefox with all the security disabled?

Selenium add-on, you might also need the Quick Start add-on (for the
Quick Start tab).

> 3) If the plugins are separately compiled and are available as zap files to
> zap, am I able to step debug these when starting Zap from Eclipse, or do I
> need to somehow run these plugins directly outside of Zap?

Yes, but you need to ensure that the source of the add-on
(zap-extensions usually) is added as a source to the run configuration.

Some of the active scanners have tests which make the debug easier (e.g.
you can run the JUnit test from Eclipse in debug mode).

Best regards.

[thc...@gmail.com]

> Is it normal for the response tab to contain mangled information, or
is curl doing this?

The • is a HTML entity, which ZAP does not render, I guess whatever
is showing the results of curl is rendering it, the tab might also be
being normalised to spaces.

Best regards.

[Ian]

Turns out I was incorrectly using curl.  While the commands I listed above work great for POST, @NORMAL and @SQLi aren't consumed the same when using GET requests.  This resulted in curl receiving a different 404 than what zap was, so it looks like the Response tab is clean after all.  Thanks for helping with this.

[kingthorin+owaspzap]

Thanks for letting us know.