zaproxy/zaproxy

ZAP does not detect SQL Injection in demo.testfire.net login page

Open

#6,883 创建于 2021年10月20日

在 GitHub 查看
 (8 评论) (0 反应) (1 负责人)Java (2,174 fork)batch import
FalseNegativeHacktoberFestIdealFirstBugadd-ongood first issue

仓库指标

Star
 (11,922 star)
PR 合并指标
 (平均合并 2天 14小时) (30 天内合并 12 个 PR)

描述

Using ZAP to scan the demo.testfire.net web site, it doesn't detect some basic SQL injections on the page http://demo.testfire.net/login.jsp

**To Reproduce the SQL injection Steps to reproduce the behavior:

  1. Go to http://demo.testfire.net/login.jsp
  2. Enter jsmith'-- as username and anything as password
  3. You can login
  4. Note, actual password is demo1234

Expected behavior Normally this SQL injection should be detected by ZAP

Software versions

  • ZAP: 2.10.0
  • Add-on: Advanced SQL Injection Scanner, Active scanner rules
  • OS: Windows 10
  • Java: 1.8.0_231
  • Browser: firefox 93

Would you like to help fix this issue? Yes I'd like to try and help fix this issue.

贡献者指南