4

I have a spring MVC web application and am running ZAP Active scan on it.

I noticed that ZAP will modify URL , and add additional parameter named query and value query+AND+1%3D1+--+ to test SQL Injection. And in my case, it raise HIGH MEDIUM SQL Injection.

The application is not even reading the parameter query and hence am sure the response is always the same, with or without this parameter. So my question is

What is the logic behind testing SQL Injection by adding a parameter which is not read by application and raising it as SQL Injection alert? I could understand when value of a parameter that is read in application is changed but not this. This has raised false positive SQL Injection in web applications that I work on.

This is related to a question that I have asked in Stackoverflow but havent found solution yet . https://stackoverflow.com/questions/51874818/false-positive-sql-injection-by-zap-in-spring-mvc

I hope to hear something in security forum.

Hima
  • 41
  • 4
  • Maybe it is a feature of some horrific framework? – user1133275 Aug 17 '18 at 10:51
  • I have to use ZAP as per company policy and it has given us some good alerts on Cross site scripting , but SQL Injection is always false positive :( – Hima Aug 17 '18 at 10:55
  • Due to differences in database structure, web application layout, it is not perfect automated process. – mootmoot Aug 17 '18 at 11:38

2 Answers2

1

ZAP is flagging a possible SQL injection attack; it doesn't have any way to know that this isn't a legit query, so it flags it for you to manually examine and check. That's pretty much the point of running it.

I had something similar happen on one of my own Spring projects: it flagged a possible injection weakness on a path that wasn't in use, and accessing that path just returned HTTP 404. That project was meant to teach myself some basic vulnerability scanning, so I just documented it as such.

Philip Rowlands
  • 1,779
  • 1
  • 13
  • 27
  • I understand it completely, It is just possible SQL Injection , but my question is what is the logic to add a new param to verify SQL injection? – Hima Aug 17 '18 at 11:33
1

ZAP quite possibly raises an alert simply because the response code is 200. It cannot know for sure if the query is read by the backend or not, therefore it gives it the confidence of medium. The answer to the post you quoted tells you how to filter out this alert.

postoronnim
  • 375
  • 3
  • 10