search

ashenchowthee / zaproxy

Automatically exported from code.google.com/p/zaproxy
0 stars 0 forks source link

Blind SQL numeric injection false positive results #1652

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 

It appears that zap scans for blind SQL inj in numeric fields using this method:

1. Do a baseline request for the url:  ...?param=2
2. Injects SQL query:  ...?param=2 AND 1=1

If the two responses are identical then it concludes that SQL inj is possible. 
But sometimes a validator will strip out non-numeric content, leading to a 
false positive.  
This can be improved by making an additional request:

3. ...?param=2 AND 1=2  
If this returns the same response as 1 and 2, then it's likely a false positive.

Original issue reported on code.google.com by stephe...@gmail.com on 28 May 2015 at 5:44

GoogleCodeExporter commented 9 years ago

Original comment by psii...@gmail.com on 29 May 2015 at 3:16

GoogleCodeExporter commented 9 years ago 
ZAP has been migrated to github

This issue will be on github issues with the same ID: 
https://github.com/zaproxy/zaproxy/issues

Original comment by psii...@gmail.com on 5 Jun 2015 at 9:18