Cannot detect injection vulnerabilities on null value JSON objects #6469
Comments
|
Right, null values are not tested, I guess they aren't because ZAP does not know which type is supposed to be there (e.g. is it an object, an array, or a string?). It could default to string... |
|
+1 for defaulting to string :) |
|
Understand, thank you for your reply. |
|
Can I deal with this one, and if so, whether dealing with all null values will significantly reduce the test speed. If it is me, an option switch may be added to "input vectors", which is not checked by default. Is this acceptable, or some other ideas. |
|
I like the idea of making it optional, I'm not sure if it should be opt-in or opt-out. How often do uou see null values in json vs. empty strings? It would be similar to the changes done here: |
|
@gitveio are you still working on this issue? |
|
Sorry, I'm not working on it. |
|
OK, no worries. Reopening, still worth addressing. |
Change JSON variant to handle null values as strings. Add option to enable the new behaviour, disabled by default. Fix zaproxy#6469. Signed-off-by: thc202 <thc202@gmail.com>
Change JSON variant to handle null values as strings. Add option to enable the new behaviour, disabled by default. Fix zaproxy#6469. Signed-off-by: thc202 <thc202@gmail.com>
|
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
As the title describes, if the JSON of the request content is:
{"name":null}
The attribute of name will not be tested at all. In fact, the name has a SQL injection problem.
But if you modify the JSON to:
{"name":""}
In this case, the problem will be detected. I am not sure if this is a real problem or just a configuration problem.
Can anyone help me, thanks
The text was updated successfully, but these errors were encountered: