Automating SQL Injections Using OWASP Zed Attack Proxy (ZAP) Tool

Every business is going digital. Nowadays, online shopping, banking, communication, etc. using web applications are a ubiquitous, and essential part of online life. However, day by day, threats are arising for web applications. To overcome such threats, we must test the application from the security point of view.

According to OWASP Top 10 for web applications, SQL injection is one of most critical vulnerabilities, which is commonly found on web applications.

In this blog, we are going to touch base on automating SQL Injections using OWASP Zed Attack Proxy (ZAP) tool. ZAP is one of leading open source security testing tools, which is provided by OWASP itself.

Prerequisites:

  • ZAP must be installed on your local machine
  • You must aware of Basic SQL queries
  • Understand the basics of HTTP status codes

Steps for Automating SQL Injections Using Zed Attack Proxy (ZAP) Tool –

  1. Launch Jx Browser by clicking on the highlighted icon.

Jx Browser  looks like this –

  1. Put the application URL in the address bar and hit the enter button on the keyboard.

3. Observe network traffic, which, accessed via Jx Browser, captured in the ZAP tool.

4. Now find out the Post method inside the login API .

5. Now we will use ‘Fuzz’ functionality from ZAP, which is provided in the Attack section.

We need to right click on login API call and need to select Fuzz option as below –

  1. Select uid and click on ‘Add’.

  1. Now Payload window opens, click on ‘Add’.

  1. Select ‘File Fuzzers’ from Type dropdown and expand the 3rd Then expand ‘Injections’.

  1. Scroll down the pane and select SQL injection as a payload for uid filed. Selected payloads must be seen in the Payloads Preview pane.

  1. Click on the ‘Add’ button and observe that payload gets added for the uid field.

  1. Click on Ok. Payload is now successfully added for the uid field.

  1. Similarly, add payload for the ‘passw’ field.

  1. Click on ‘Start Fuzzer’ and wait until it reaches 100%

Finally, check the status code. If the code returns 302, i.e. redirected to next page, it means that the application is vulnerable to an SQL injection. We can utilize the same SQL queries in ‘uid’ and ‘passw’ fields and login into an application without knowing the actual password.

 

At Nitor, application and data security are at the core of our services. Our domain experts consider safeguards against the OWASP Top 10 Security Risks to be an essential prerequisite as we help ISVs engineer digital products. To learn more about how Nitor can help you plug security gaps in your products, reach out to us at marketing@nitorinfotech.com

About Nishikant Kulkarni

Nishikant Kulkarni is a Senior Software Engineer at Nitor Infotech. He is an ISTQB Foundation Level Certified Engineer. Nishikant possesses expertise in OWASP ZAP, Burp Suite, JMeter, MTM, Selenium Web Driver, etc.

  • OWASP ZAP
  • Burp Suite
  • MTM
  • Selenium Web Driver

Leave a Reply

Your email address will not be published. Required fields are marked *