Setting Breakpoints in a vulnerable URL

[AWS_SEC]

Hello,

I've a URL vulnerable to SQL Injection. I want to explore the Breakpoint API on this URL. I want to see if ZAP breaks when this SQL Injection vulnerability is identified by ZAP.

How can I properly set a break point in ZAP? 

[kingthorin+owaspzap]

Active Scan traffic isn't subjected to break points.

[Ailton Caetano]

If you know which URL is vulnerable (by manual test or ZAP's alert report), you may just search for it in the Search Tab, select it and then click in the Request/Response Tabs, where it will be shown.

From there, you may click with the right mouse button and select "Resend", therefore opening a window where you may edit the request to whatever you like/need.

Regards,

Ailton Caetano

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/6af5580d-3124-4a6f-8b77-b43785d00a2f%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[AWS_SEC]

Can I use Breakpoints API in  when I spider scan or passive scanZAP? How do I debug in ZAP during active scan? 

[AWS_SEC]

Ailton Caetano,

Yes. I identified the vulnerable URL. But there is nothing on the search tab and the request and response tab looks like this.

On Wednesday, July 19, 2017 at 12:59:13 PM UTC-5, Ailton Caetano wrote:

If you know which URL is vulnerable (by manual test or ZAP's alert report), you may just search for it in the Search Tab, select it and then click in the Request/Response Tabs, where it will be shown.

From there, you may click with the right mouse button and select "Resend", therefore opening a window where you may edit the request to whatever you like/need.

Regards,

Ailton Caetano

2017-07-19 14:21 GMT-03:00 kingthorin+owaspzap <kingt...@gmail.com>:

Active Scan traffic isn't subjected to break points.

On Wednesday, July 19, 2017 at 1:05:55 PM UTC-4, AWS_SEC wrote:

Hello,

I've a URL vulnerable to SQL Injection. I want to explore the Breakpoint API on this URL. I want to see if ZAP breaks when this SQL Injection vulnerability is identified by ZAP.

How can I properly set a break point in ZAP? 

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.

[watchma...@gmail.com]

Hello AWS_SEC,

I use the Python API to debug during an active scan. I have a custom class that initializes the ZAPv2 object and use that to call the methods I need.

It looks something like this:

z = Zap()

z.zobj.method_to_call()

I hope this helps.

Cheers

[Ailton Caetano]

From the screenshot you gave i was not able to find the expression used in the search text box (the one on the left of that "All" dropdown button). Are you sure you haven't mistyped anything?

About the response tab, you will note that there is button called "Large Response". If you click it and select "Text", ZAP will show you the actual response instead of that pre-built text. ZAP hides it because it may take some time depending on how long the response actually is, so you will only have to wait for the rendering if you really want to look at it. 

It really helps when you "mis-click" something that wil take precious 30-60 seconds to show up...

Regards,

Ailton Caetano

To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/b0d969d0-c4c5-4a19-88f6-325fb78ee451%40googlegroups.com.