zaproxy/zaproxy

ZAP does not detect SQL Injection in demo.testfire.net login page

Open

#6,883 创建于 2021年10月20日

在 GitHub 查看
 (8 评论) (0 反应) (1 负责人)Java (11,922 star) (2,174 fork)batch import
FalseNegativeHacktoberFestIdealFirstBugadd-ongood first issue

描述

Using ZAP to scan the demo.testfire.net web site, it doesn't detect some basic SQL injections on the page http://demo.testfire.net/login.jsp

**To Reproduce the SQL injection Steps to reproduce the behavior:

  1. Go to http://demo.testfire.net/login.jsp
  2. Enter jsmith'-- as username and anything as password
  3. You can login
  4. Note, actual password is demo1234

Expected behavior Normally this SQL injection should be detected by ZAP

Software versions

  • ZAP: 2.10.0
  • Add-on: Advanced SQL Injection Scanner, Active scanner rules
  • OS: Windows 10
  • Java: 1.8.0_231
  • Browser: firefox 93

Would you like to help fix this issue? Yes I'd like to try and help fix this issue.

贡献者指南

技术栈
java
领域
security
议题类型
bug
难度面向新贡献者的预计实现难度,1 表示很小改动,5 表示专家级工作。
3
预计时间有经验贡献者完成调查、实现、测试并准备 pull request 的粗略时间范围。
1-3 hours
活动状态议题当前的可参与程度:新鲜、活跃、陈旧、阻塞或等待维护者输入。
active
清晰度议题是否清楚说明期望改动、验收标准和下一步。
clear
前置要求
Java knowledgeunderstanding of SQL injectionfamiliarity with ZAP scanner add ons
新手友好度1-100 的估计分数,表示该议题对首次贡献者的友好程度。
45
研究方向
Investigate the Advanced SQL Injection Scanner add on in the ZAP repository (likely in a separate repo or under the main repository's addons directory). Examine how existing SQL injection patterns are defined and detected. The specific case here is a string ending with ' that comments out the rest of the SQL query. Look for how ZAP handles injection in login forms and consider adding a new test case for this pattern. There is one assignee and 8 comments; review the discussion for any additional hints or constraints. The issue is open and reproducible, so focus on implementing a fix in the relevant scanner rule file.
ZAP does not detect SQL Injection in demo.testfire.net login page · zaproxy/zaproxy#6883 | Good First Issue