Aastha Sinha	Abhijeet Shah	Abhishek Suranglikar
Abhishek Tanwade	Abhishek Tiwari	Ajinkya Pathak
Amit Pawade	Ankita Kulkarni	Ankita Patidar
Antara Datta	Anup Manekar	Ashish Baldota
Chandra Gosetty	Deep Shikha Bhat	Dr. Girish Shinde
Ekta Shah	Gaurav Mishra	Gaurav Rathod
Gautam Patil	Harish Singh Chauhan	Harshali Chandgadkar
Kapil Joshi	Krishna Gunjal	Madhavi Pawar
Marappa Reddy	Mayur Wankhade	Milan Pansuriya
Minal Doiphode	Mohit Agarwal	Mohit Borse
Nalini Vijayraghavan	Nikhil Kulkarni	Omkar Ingawale
Omkar Kulkarni	Pooja Chavan	Pooja Dhule
Pranit Gangurde	Prashant Kankokar	Priya Patole
Rahul Ganorkar	Rashmi Nehete	Ravi Agrawal
Robin Pandita	Rohan Chavan	Rohini Wwagh
Sachin Saini	Sadhana Sharma	Sambid Pradhan
Sandeep Mali	Sanjay Toge	Sanjeev Fadnavis
Saurabh Pimpalkar	Sayanti Shrivastava	Shardul Gurjar
Shravani Dhavale	Shreyash Bhoyar	Shubham Kamble
Shubham Muneshwar	Shubham Navale	Shweta Chinchore
Sidhant Naveria	Souvik Adhikary	Sujay Hamane
Tejbahadur Singh	Uddhav Dandale	Vasishtha Ingale
Vidisha Chirmulay	Yogesh Kulkarni

Software Engineering | 09 Apr 2020 | 5 min

Automating SQL Injections Using OWASP Zed Attack Proxy (ZAP) Tool

Every business is going digital. Nowadays, online shopping, banking, communication, etc. using web applications are a ubiquitous, and essential part of online life. However, day by day, threats are arising for web applications. To overcome such threats, we must test the application from the security point of view.

According to OWASP Top 10 for web applications, SQL injection is one of most critical vulnerabilities, which is commonly found on web applications.

In this blog, we are going to touch base on automating SQL Injections using OWASP Zed Attack Proxy (ZAP) tool. ZAP is one of leading open source security testing tools, which is provided by OWASP itself.

Prerequisites:

ZAP must be installed on your local machine
You must aware of Basic SQL queries
Understand the basics of HTTP status codes

Steps for Automating SQL Injections Using Zed Attack Proxy (ZAP) Tool –

1. Launch Jx Browser by clicking on the highlighted icon.

Jx Browser looks like this –

2. Put the application URL in the address bar and hit the enter button on the keyboard.

3. Observe network traffic, which, accessed via Jx Browser, captured in the ZAP tool.

4. Now find out the Post method inside the login API .

5. Now we will use ‘Fuzz’ functionality from ZAP, which is provided in the Attack section.

We need to right click on login API call and need to select Fuzz option as below –

6. Select uid and click on ‘Add’.

7. Now Payload window opens, click on ‘Add’.

8. Select ‘File Fuzzers’ from Type dropdown and expand the 3^rd Then expand ‘Injections’.

9. Scroll down the pane and select SQL injection as a payload for uid filed. Selected payloads must be seen in the Payloads Preview pane.

10. Click on the ‘Add’ button and observe that payload gets added for the uid field.

11. Click on Ok. Payload is now successfully added for the uid field.

12. Similarly, add payload for the ‘passw’ field.

13. Click on ‘Start Fuzzer’ and wait until it reaches 100%

Finally, check the status code. If the code returns 302, i.e. redirected to next page, it means that the application is vulnerable to an SQL injection. We can utilize the same SQL queries in ‘uid’ and ‘passw’ fields and login into an application without knowing the actual password.

At Nitor Infotech, application and data security are at the core of our services. Our domain experts consider safeguards against the OWASP Top 10 Security Risks to be an essential prerequisite as we help ISVs engineer digital products. To learn more about how Nitor Infotech can help you plug security gaps in your products, reach out to us.