Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ZAP does not detect SQL Injection in demo.testfire.net login page #3

Open
NanoNish opened this issue Oct 22, 2022 · 1 comment
Open

ZAP does not detect SQL Injection in demo.testfire.net login page #3

NanoNish opened this issue Oct 22, 2022 · 1 comment
Labels
add-on FalseNegative good first issue Good for newcomers Hacktoberfest IdealFirstBug

Comments

@NanoNish
Copy link
Member

Using ZAP to scan the demo.testfire.net web site, it doesn't detect some basic SQL injections on the page http://demo.testfire.net/login.jsp

**To Reproduce the SQL injection
Steps to reproduce the behavior:

Go to http://demo.testfire.net/login.jsp
Enter jsmith'-- as username and anything as password
You can login
Note, actual password is demo1234
Expected behavior
Normally this SQL injection should be detected by ZAP

Software versions

ZAP: 2.10.0
Add-on: Advanced SQL Injection Scanner, Active scanner rules
OS: Windows 10
Java: 1.8.0_231
Browser: firefox 93
@NanoNish
Copy link
Member Author

Please refer to the original discussion over here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
add-on FalseNegative good first issue Good for newcomers Hacktoberfest IdealFirstBug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@NanoNish