XVWA SQL Injection not found ZAP Version 2.9.0

[bill-chan-cyber]

Describe the bug Using ZAP 2.9.0 to attack http://127.0.0.1/xvwa but SQL Injection not found even set the policy to insane

To Reproduce Steps to reproduce the behavior:

1. Start ZAP 2.9 in Kali Linux
2. Attack URL http://127.0.0.1/xvwa

Expected behavior Expect SQL Injection Alert found

Screenshots screenshot attached

Software versions root:~$ lsb_release -a No LSB modules are available. Distributor ID: Kali Description: Kali GNU/Linux Rolling Release: kali-rolling Codename: kali-rolling root:~$ cat /etc/os-release PRETTY_NAME="Kali GNU/Linux Rolling" NAME="Kali GNU/Linux" ID=kali VERSION="2018.4" VERSION_ID="2018.4" ID_LIKE=debian ANSI_COLOR="1;31" HOME_URL="https://www.kali.org/" SUPPORT_URL="https://forums.kali.org/" BUG_REPORT_URL="https://bugs.kali.org/"

root:~$ java -version openjdk version "10.0.2" 2018-07-17 OpenJDK Runtime Environment (build 10.0.2+13-Debian-1) OpenJDK 64-Bit Server VM (build 10.0.2+13-Debian-1, mixed mode)

root:~$ firefox -version Mozilla Firefox 60.2.0 zap.log

[psiinon]

Have you tried using the Advanced SQL Injection Scanner? https://www.zaproxy.org/docs/desktop/addons/advanced-sqlinjection-scanner/ You'll need to install this from the marketplace as its not included by default.

[bill-chan-cyber]

Hi Simon,

Something wrong with Version 2.9. It is still not working. It couldn't find the SQL Injection vulnerabilities under url path http://127.0.0.1/xvwa/sqlihttp://1127.0.0.1/xvwa/sqli and http://127.0.0.1/xvwa/http://1127.0.0.1/xvwa/sqlisqli_blind.

Screen attached. Thank you.

M.

---

From: Simon Bennetts notifications@github.com Sent: Friday, 28 February 2020 8:14 PM To: zaproxy/zaproxy zaproxy@noreply.github.com Cc: bill-chan-cyber mokcybertafe@hotmail.com; Author author@noreply.github.com Subject: Re: [zaproxy/zaproxy] XVWA SQL Injection not found ZAP Version 2.9.0 (#5879)

Have you tried using the Advanced SQL Injection Scanner? https://www.zaproxy.org/docs/desktop/addons/advanced-sqlinjection-scanner/ You'll need to install this from the marketplace as its not included by default.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/zaproxy/zaproxy/issues/5879?email_source=notifications&email_token=AOVZVQKTY5WHSUA3MQTU7GLRFDIXZA5CNFSM4K5LRVV2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOENH2LBY#issuecomment-592422279, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AOVZVQKA2J7RCWZ3H4CE5JTRFDIXZANCNFSM4K5LRVVQ.

[kingthorin]

Have you tried using the Advanced SQL Injection Scanner?

Something wrong with Version 2.9. It is still not working.

Did it previously (2.8.0)?

[kingthorin]

With just the default install of ZAP:

[bill-chan-cyber]

Hi All, OK.  Could you please deploy XVWA package into XAMPP Server 7.4.2 Linux version and test it out? I have Kali Linux OS here.  I have added Advance SQL Injection.zap into default ZAP 2.9 version and test it out. It will show XVWA setup SQL Injection alert only. If I used default ZAP 2.9  to test it, it show zero alert. Thanks. M. On Mar 2, 2020 1:18 PM, kingthorin notifications@github.com wrote:With just the default install of ZAP:

—You are receiving this because you authored the thread.Reply to this email directly, view it on GitHub, or unsubscribe.

[kingthorin]

Did you initialize XVWA by doing the in-app setup step?

The screenshot I added above was based on using ZAP on Kali 2020.1 (ZAP 2.9.0) with this dockerized XVWA: https://github.com/tuxotron/xvwa_lamp_container

[bill-chan-cyber]

Hi, I deployed the XVWA straight into htdoc directory and setup MySQL Table using phpAdmin. Thanks. M. On Mar 2, 2020 1:59 PM, kingthorin notifications@github.com wrote:Did you initialize XVWA by doing the in-app setup step? The screenshot I added above was based on using ZAP on Kali 2020.1 (ZAP 2.9.0) with this dockerized XVWA: https://github.com/tuxotron/xvwa_lamp_container

—You are receiving this because you authored the thread.Reply to this email directly, view it on GitHub, or unsubscribe.

[kingthorin]

Did you use the form you're trying to test?

[bill-chan-cyber]

Hi, May I know what form?? Thanks.M. On Mar 2, 2020 10:12 PM, kingthorin notifications@github.com wrote:Did you use the form you're trying to test?

—You are receiving this because you authored the thread.Reply to this email directly, view it on GitHub, or unsubscribe.

[kingthorin]

The one on the SQLi test pages.

[bill-chan-cyber]

Hi, Sorry.  Could you please show me the screen shot please? Thank you. M. On Mar 3, 2020 8:09 AM, kingthorin notifications@github.com wrote:The one on the SQLi test pages.

—You are receiving this because you authored the thread.Reply to this email directly, view it on GitHub, or unsubscribe.

[bill-chan-cyber]

Hi, Is this what you after please? Thanks. M. On Mar 3, 2020 8:09 AM, kingthorin notifications@github.com wrote:The one on the SQLi test pages.

—You are receiving this because you authored the thread.Reply to this email directly, view it on GitHub, or unsubscribe.

[kingthorin]

Was there supposed to be an attachment or screenshot?

[bill-chan-cyber]

On Mar 3, 2020 11:46 AM, kingthorin notifications@github.com wrote:Was there supposed to be an attachment or screenshot?

—You are receiving this because you authored the thread.Reply to this email directly, view it on GitHub, or unsubscribe.

[kingthorin]

Here's an animated GIF of this working. I'll be closing the ticket. If you have further questions please visit the ZAP User Group for community assistance.

[lock[bot]]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

[lock[bot]]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

[lock[bot]]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.