Describe the bug:
OZAP always make false positives on "SQL Injection" in Four arithmetic operations case.
It is a very old issue. But never fixed.
But leader in my unit trust the raw report blindly.
This causes significant problems in maintenance .
The rules should be strengthened.
At present, ZAP only check rule one time, and then throws error.
But it should check rule at least twice.
If origin query is [ test.jsp?ID=2 ]
It should be check the empty value [ test.jsp?ID= ] firstly.
Then check same value by two different formulas [ test.jsp?ID=1+1 , test.jsp?ID=4/2 ].
If twice formulas outputs are same, and like origin once, that means injected.
Else if output likes empty, that means safely.
And the most importantly.
It should be makes a big and red notify with Eight Languages on the app start/top of report.
Says "This raw report has not been verified by humans and cannot be used as official documentary evidence."
Thanks.
Steps to reproduce the behavior:
All < input > in the < form > with number type.
Expected behavior:
All number fields in my app will parse to a < int > variable firstly. And default value or any exceptions are always 0 .
So any SQL Injection will be like nothing.
Software Versions:
ZAP Version: 2.17.0
Screenshots:
No response
Errors from the zap.log file:
Additional context:
No response
Would you like to help fix this issue?
Describe the bug:
OZAP always make false positives on "SQL Injection" in Four arithmetic operations case.
It is a very old issue. But never fixed.
But leader in my unit trust the raw report blindly.
This causes significant problems in maintenance .
The rules should be strengthened.
At present, ZAP only check rule one time, and then throws error.
But it should check rule at least twice.
If origin query is [ test.jsp?ID=2 ]
It should be check the empty value [ test.jsp?ID= ] firstly.
Then check same value by two different formulas [ test.jsp?ID=1+1 , test.jsp?ID=4/2 ].
If twice formulas outputs are same, and like origin once, that means injected.
Else if output likes empty, that means safely.
And the most importantly.
It should be makes a big and red notify with Eight Languages on the app start/top of report.
Says "This raw report has not been verified by humans and cannot be used as official documentary evidence."
Thanks.
Steps to reproduce the behavior:
All < input > in the < form > with number type.
Expected behavior:
All number fields in my app will parse to a < int > variable firstly. And default value or any exceptions are always 0 .
So any SQL Injection will be like nothing.
Software Versions:
ZAP Version: 2.17.0
Screenshots:
No response
Errors from the zap.log file:
Additional context:
No response
Would you like to help fix this issue?