zaproxy/zaproxy

ZAP does not detect SQL Injection in demo.testfire.net login page

Open

#6883 aperta il 20 ott 2021

Vedi su GitHub
 (8 commenti) (0 reazioni) (1 assegnatario)Java (2174 fork)batch import
FalseNegativeHacktoberFestIdealFirstBugadd-ongood first issue

Metriche repository

Star
 (11.922 star)
Metriche merge PR
 (Merge medio 2g 14h) (12 PR mergiate in 30 g)

Descrizione

Using ZAP to scan the demo.testfire.net web site, it doesn't detect some basic SQL injections on the page http://demo.testfire.net/login.jsp

**To Reproduce the SQL injection Steps to reproduce the behavior:

  1. Go to http://demo.testfire.net/login.jsp
  2. Enter jsmith'-- as username and anything as password
  3. You can login
  4. Note, actual password is demo1234

Expected behavior Normally this SQL injection should be detected by ZAP

Software versions

  • ZAP: 2.10.0
  • Add-on: Advanced SQL Injection Scanner, Active scanner rules
  • OS: Windows 10
  • Java: 1.8.0_231
  • Browser: firefox 93

Would you like to help fix this issue? Yes I'd like to try and help fix this issue.

Guida contributor