zaproxy/zaproxy
Vedi su GitHubZAP does not detect SQL Injection in demo.testfire.net login page
Open
#6883 aperta il 20 ott 2021
FalseNegativeHacktoberFestIdealFirstBugadd-ongood first issue
Metriche repository
- Star
- (11.922 star)
- Metriche merge PR
- (Merge medio 2g 14h) (12 PR mergiate in 30 g)
Descrizione
Using ZAP to scan the demo.testfire.net web site, it doesn't detect some basic SQL injections on the page http://demo.testfire.net/login.jsp
**To Reproduce the SQL injection Steps to reproduce the behavior:
- Go to http://demo.testfire.net/login.jsp
- Enter
jsmith'--as username and anything as password - You can login
- Note, actual password is
demo1234
Expected behavior Normally this SQL injection should be detected by ZAP
Software versions
- ZAP: 2.10.0
- Add-on: Advanced SQL Injection Scanner, Active scanner rules
- OS: Windows 10
- Java: 1.8.0_231
- Browser: firefox 93
Would you like to help fix this issue? Yes I'd like to try and help fix this issue.