Help manually confirming a vulnerability
96 views
Skip to first unread message
Joe Clifton
Apr 21, 2018, 10:48:05 PM4/21/18
to OWASP ZAP User Group
ZAP found the following vulnerability: SQL Injection - Authentication Bypass
Bu
I need to manually confirm. the following,, how do i go about it?
I have tried putting the parameter as the login name and the ZAP AND 1=1-- as the password in the form....this doesn't work. Do i even use the login form or do i use the URL and craft a special URL to attack this successfully?
| URL | https://xx.xxx.xx.xxx/scripts/userscripts/UserScript.pl?function=commitmodifyirisagent |
| Method | POST |
| Parameter | site |
| Attack | ZAP AND 1=1 -- |
Simon Bennetts
Apr 23, 2018, 5:32:30 AM4/23/18
to OWASP ZAP User Group
Does the alert give you any more details?
The parameter that is being attacked is 'site' - this might be a hidden field, in which case you'll either need to 'show hidden fields' or use the ZAP manual editor.
I would start with making a valid request with a browser proxying through ZAP.
Then find the request in the History tab (it should be at or near the bottom).
Right click and resend it, there should be a 'site' field - if so then replace the value with the attack given in the alert.
Then compare the 2 responses via the History tab (select them both, right click and 'Compare Responses') - are they radically different, and if so how?
Cheers,
Simon
The parameter that is being attacked is 'site' - this might be a hidden field, in which case you'll either need to 'show hidden fields' or use the ZAP manual editor.
I would start with making a valid request with a browser proxying through ZAP.
Then find the request in the History tab (it should be at or near the bottom).
Right click and resend it, there should be a 'site' field - if so then replace the value with the attack given in the alert.
Then compare the 2 responses via the History tab (select them both, right click and 'Compare Responses') - are they radically different, and if so how?
Cheers,
Simon
kingthorin+owaspzap
Apr 23, 2018, 9:29:12 AM4/23/18
to OWASP ZAP User Group
The code that handles that check is here, if you want to read through it:
https://github.com/zaproxy/zap-extensions/blob/7ba9eeaeaea9d1ba5e6292c4a37c1048408a7bd9/src/org/zaproxy/zap/extension/ascanrules/TestSQLInjection.java#L1242-L1301
Joe Clifton
Apr 24, 2018, 8:15:51 AM4/24/18
to OWASP ZAP User Group
It does't t give anymore details than i gave. I copied it exactly, except changing the IP address. I will look for the hidden field like you said and report back, thanks for the help
Thanks so much for responding.
Thanks so much for responding.
--joe
Reply all
Reply to author
Forward
0 new messages