OWASP | ZAP | SQL Injection | Scan Report
Question
When SQL injection is executed through FUZZ along with the inbuilt payload. The scan result shows multiple column along Code, Reason, State, and Payloads.
How do i analyse this columns (Code, Reason, State, and Payloads) for the posted request
1 answers
solution1
2 ACCPTED 2019-04-25 16:47:10
Any fuzzing activity requires manual review and confirmation by the user. Without much much more detail as to the app, functionality, and output we can't tell you how to go about analyzing fuzzer results.
Essentially you'd have to review the fuzz results in contrast to the original (known good) request/response.
Here are some resources that might help you:
- https://www.owasp.org/index.php/SQL_Injection
- https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)
- https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.md
If you aren't sure how HTTP communication, various attack techniques, etc work then it might be best (from multiple perspectives: time, budget/cost, effectiveness, sanity, etc) to engage your security team or contract the assessment work out to a third party.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.