Closed GoogleCodeExporter closed 9 years ago
Thanks for reporting this.
It looks like while the new SQLi rules are more effective finding more subtle
SQLi vulns they do miss some simple cases.
We'll look into this as a matter of urgency.
Original comment by psii...@gmail.com
on 9 Mar 2013 at 11:21
Just released new release quality active scan rules - can you check to make
sore this issue is now reported for you?
Original comment by psii...@gmail.com
on 18 Mar 2013 at 9:44
SQL injection was actually detected on http://demo.testfire.net/bank/login.aspx
However,I launched an active scan on the Bodgeit store and ZAP does not detect
the error message in response to SQL injection attempts. See attached screen
shots.
Original comment by stephane...@gmail.com
on 20 Mar 2013 at 6:38
Attachments:
Hi Stephane,
It looks like you've just explored bodgeit using the spider.
This typically wont expose the SQL injection flaws in the login or registration
pages :)
The registration page returns a 'user error' if the user doesnt supply a
'valid' email address or 2 passwords that are the same and conform to some
simple rules.
This is deliberate - its intended to show that its more effective to explore an
application manually and then use the spider and active scanner. If you
register and login with a valid user then I'd expect ZAP to find the SQL
injection issues.
Note that the issue on the login page is actually a blind SQLi issue, so you
might need some of the beta scan rules to detect that as they use some timing
attacks.
Cheers,
Simon
Original comment by psii...@gmail.com
on 22 Mar 2013 at 9:33
I'm using ZAP Weekly D-2014-01-06 and it's not finding an error based HQL
injection vulnerability. Screenshot of the app when injecting single quote
into the search field.
ZAP doesn't seem to match on the "Internal Server Error" content in the page,
even if it's not specifically an SQL error.
Another way to find these types of injections is to inject a single quote and
fingerprint the response content, then inject two single quotes and fingerprint
the response content. If the two responses differ then there's likely an
injection point. E.g.:
http://localhost:9110/ropeytasks/task/search?q=%27&search=Search produces the
error page, but:
http://localhost:9110/ropeytasks/task/search?q=%27%27&search=Search just
produces an empty search result. Therefore, we're likely injecting into an SQL
context.
Original comment by stephe...@gmail.com
on 14 Feb 2014 at 9:47
Attachments:
Original comment by kingtho...@gmail.com
on 13 Jul 2014 at 8:23
stephendv, is this the app you were testing against?
https://github.com/continuumsecurity/RopeyTasks/
Original comment by kingtho...@gmail.com
on 13 Jul 2014 at 8:25
Yes, that's the one.
Original comment by stephe...@gmail.com
on 14 Jul 2014 at 5:36
Would you be willing to give it a shot with an up-to-date copy of ZAP. Since
2.0.0 there has definitely been changes and progress made with regard to SQLi
findings.
Original comment by kingtho...@gmail.com
on 14 Jul 2014 at 11:58
I've verified that the latest committed version of the generic SQL injection
plugin detects both of these issues. I set the attack threshold to Low, in
order to enable the "generic RDBMS" error detection logic, which is disabled at
"Medium" threshold, due to the potential for false positives.
Original comment by colm.p.o...@gmail.com
on 5 Sep 2014 at 9:43
Fixed in 2.4.0
Original comment by psii...@gmail.com
on 14 Apr 2015 at 11:03
Original issue reported on code.google.com by
stephane...@gmail.com
on 8 Mar 2013 at 4:05Attachments: