OWSP SQL Injection

0
votes

I am performing a security scan using owasp, which detects a slq injection vulnerability. When I run it from my Firefox browser monitored with owasp from the HUD and selecting the replay in Borwser option, it redirects me to a page like this

https://myweb.app/login.php?zapHudReplaceReq=4eca1e78-2bcf-4621-a471

where I can see the session cookie. The problem is that when I try to run in my browser without owasp's HUD to recreate the attack, the injection doesn't work, it doesn't show me any sql error or anything. I hope someone can help me please. The request method is POST through the parameter

pass = myvalidpassword% 27 + AND +% 271% 27% 3D% 271% 27 + - +

so i try to do sql injection but it doesn't work, and i don't know why. Does any boby have an idea? somebody kwnos how works the zapHudReplaceReq If you need more information coment in the post.

2
securitysql-injectionowaspzapwebsecurity

2 Answers

2
votes

The ZAP HUD does all sorts of nasty things in order to implement its features I'm afraid :) The zapHudReplaceReq is an internal mechanism that relates to how ZAP works and is unrelated to either you application or the potential SQL injection vulnerability.

You are right to try to reproduce the vulnerability manually and without the HUD, but focus on the details that are in the alert rather than any interactions with the HUD. Make sure you read all of the information in the alert, it should explain why this specific attack appeared to cause problems.

0
votes

Thanks for the answer.

I have already encountered the problem and it was that when I sent the "wicked request" to the server via the input box, the frontend was modifing the parameters.

So the problem was that special characters were removed from my request, I solved the problem by intersecting traffic and injecting the"evil request" from the raw request.

I also had to modify the request by encoding it with a url encoder that i found on this site

https://www.urlencoder.org/

So I got something like this

pass=mypass% 27 + Y +% 271% 27% 3D% 271% 27 + - +

And so I was able to reproduce the attack and do the injection.