owaspzappenetration-testingpenetration-tools

OWASP | ZAP | SQL Injection | Scan Report


When SQL injection is executed through FUZZ along with the inbuilt payload. The scan result shows multiple column along Code, Reason, State, and Payloads.

How do i analyse this columns (Code, Reason, State, and Payloads) for the posted request


Solution

  • Any fuzzing activity requires manual review and confirmation by the user. Without much much more detail as to the app, functionality, and output we can't tell you how to go about analyzing fuzzer results.

    Essentially you'd have to review the fuzz results in contrast to the original (known good) request/response.

    Here are some resources that might help you:

    If you aren't sure how HTTP communication, various attack techniques, etc work then it might be best (from multiple perspectives: time, budget/cost, effectiveness, sanity, etc) to engage your security team or contract the assessment work out to a third party.