Aastha Sinha	Abhijeet Shah	Abhishek Suranglikar
Abhishek Tanwade	Abhishek Tiwari	Ajinkya Pathak
Amit Pawade	Amol Jadhav	Ankita Kulkarni
Antara Datta	Anup Manekar	Chandra Gosetty
Chandrakiran Parkar	Dr. Girish Shinde	Gaurav Mishra
Gaurav Rathod	Harshali Chandgadkar	Kapil Joshi
Madhavi Pawar	Marappa Reddy	Milan Pansuriya
Minal Doiphode	Mohit Agarwal	Mohit Borse
Nalini Vijayraghavan	Neha Garg	Nikhil Kulkarni
Omkar Ingawale	Omkar Kulkarni	Pranit Gangurde
Prashant Kamble	Prashant Kankokar	Priya Patole
Rahul Ganorkar	Ramireddy Manohar	Ravi Agrawal
Robin Pandita	Rohini Wwagh	Sachin Saini
Sadhana Sharma	Sambid Pradhan	Sandeep Mali
Sanjeev Fadnavis	Saurabh Pimpalkar	Sayanti Shrivastava
Shardul Gurjar	Shravani Dhavale	Shreyash Bhoyar
Shubham Kamble	Shubham Muneshwar	Shweta Chinchore
Sidhant Naveria	Sreenivasulu Reddy	Sujay Hamane
Tejbahadur Singh	Tushar Sangore	Vasishtha Ingale
Veena Metri	Vidisha Chirmulay	Yogesh Kulkarni

Software Engineering | 09 Apr 2020 | 5 min

Automating SQL Injections Using OWASP Zed Attack Proxy (ZAP) Tool

Every business is going digital. Nowadays, online shopping, banking, communication, etc. using web applications are a ubiquitous, and essential part of online life. However, day by day, threats are arising for web applications. To overcome such threats, we must test the application from the security point of view.

According to OWASP Top 10 for web applications, SQL injection is one of most critical vulnerabilities, which is commonly found on web applications.

In this blog, we are going to touch base on automating SQL Injections using OWASP Zed Attack Proxy (ZAP) tool. ZAP is one of leading open source security testing tools, which is provided by OWASP itself.

Prerequisites:

ZAP must be installed on your local machine
You must aware of Basic SQL queries
Understand the basics of HTTP status codes

Steps for Automating SQL Injections Using Zed Attack Proxy (ZAP) Tool –

1. Launch Jx Browser by clicking on the highlighted icon.

Jx Browser looks like this –

2. Put the application URL in the address bar and hit the enter button on the keyboard.

3. Observe network traffic, which, accessed via Jx Browser, captured in the ZAP tool.

4. Now find out the Post method inside the login API .

5. Now we will use ‘Fuzz’ functionality from ZAP, which is provided in the Attack section.

We need to right click on login API call and need to select Fuzz option as below –

6. Select uid and click on ‘Add’.

7. Now Payload window opens, click on ‘Add’.

8. Select ‘File Fuzzers’ from Type dropdown and expand the 3^rd Then expand ‘Injections’.

9. Scroll down the pane and select SQL injection as a payload for uid filed. Selected payloads must be seen in the Payloads Preview pane.

10. Click on the ‘Add’ button and observe that payload gets added for the uid field.

11. Click on Ok. Payload is now successfully added for the uid field.

12. Similarly, add payload for the ‘passw’ field.

13. Click on ‘Start Fuzzer’ and wait until it reaches 100%

Finally, check the status code. If the code returns 302, i.e. redirected to next page, it means that the application is vulnerable to an SQL injection. We can utilize the same SQL queries in ‘uid’ and ‘passw’ fields and login into an application without knowing the actual password.

At Nitor Infotech, application and data security are at the core of our services. Our domain experts consider safeguards against the OWASP Top 10 Security Risks to be an essential prerequisite as we help ISVs engineer digital products. To learn more about how Nitor Infotech can help you plug security gaps in your products, reach out to us.