CODEWITHSUNDEEP
phpsql-injectionslimzap
Julien
Julien

Reputation: 165

Why OWASP ZAP detect SQL injection?

I'd like to know why OWASP ZAP detect potential SQL injection on my login page. I call an API to connect my users.

PHP slim API code:

$sql = "SELECT id, idGroup, idTeam,lastName, firstName, isLogged, login, phoneNumber, webrtc FROM users WHERE enable = 1 AND login = :login AND password = :password";
       
$db = new db();
$db = $db->connect();

$stmt = $db->prepare($sql);
$userPass = md5($password);
$stmt->bindParam(':login', $login);
$stmt->bindParam(':password', $userPass);

$stmt->execute();
$user = $stmt->fetchAll(PDO::FETCH_OBJ);

Login page:

$login = $_POST['username'];
$password = $_POST['password'];

$client = new GuzzleHttp\Client();
$response = $client->request('POST', $apiUrl . 'agent/login', [
   'form_params' => [
       'login' => $login,
       'password' => $password,
       'ipAddress' => $_SERVER['REMOTE_ADDR'],
   ]
]);

$data = json_decode($response->getBody(), true);

if (isset($data[0]['id']) && $data[0]['id'] > 0) {
   $_SESSION['fullName'] = $data[0]['firstName'] . ' ' . $data[0]['lastName'];
   $_SESSION['idGroup'] = $data[0]['idGroup'];
   $_SESSION['idTeam'] = $data[0]['idTeam'];
   $_SESSION['idUser'] = $data[0]['id'];
   $_SESSION['login'] = $data[0]['login'];
   $_SESSION['phoneNumber'] = $data[0]['phoneNumber'];
   $_SESSION['webrtc'] = $data[0]['webrtc'];

   //Get roles for user
   $response = $client->request('GET', $apiUrl . 'web/permissions/' . $login);
   $data = json_decode($response->getBody(),true);

   foreach ($data as $roles) {
       $_SESSION['roles'][$roles['bit']] = $roles['name'];
   }

   echo "<script>window.open('index.php','_self')</script>";

}

All my APIs use prepared statements and parameterized queries.

Here's the OWASP ZAP alert:

The page results were successfully manipulated using the boolean conditions [ZAP" AND "1"="1" -- ] and [ZAP" AND "1"="2" -- ] The parameter value being modified was NOT stripped from the HTML output for the purposes of the comparison Data was returned for the original parameter.

Upvotes: 1

Views: 2807

Answers (1)

farhodius
farhodius

Reputation: 530

This may happen if the response page for the form submission contains the value of a form field as it was specified by a user. For instance if you are logging in your user and use the value of 'username' field to greet the user but pull it not from the DB but from the request variables. SQL injection does not take place but the scanning script assumes that you stored the value unsanitized in the DB while you just using the value provided by a user and not the value that you have stored in the DB. Hope this makes sense.

Upvotes: 1

Related Questions