Have you being using ZAP – OWASP’s ZAProxy? It is an intercepting proxy combined with a fuzzer, a vuln-scanner and many other features that come in very handy, when you are into analysing and testing web, mobile or any other application that uses HTTP as a communication protocol.
If you think about a situation in which, as a tester, you need to check all the fields of the application where a user can introduce data and run a statement to the database, it seems a huge task. Fortunately, OWASP ZAP can be used for testing whether applications possess security gaps and whether security checks have been implemented efficiently. It enables you to improve the speed and effectiveness of testing.
Setting up OWASP ZAP for browser
Before testing can start, it is necessary to set up the application and configure your browser:
- Install and open the application.
- Select Tools ➝ Options ➝ Dynamic SSL Certificates and click the ‘Generate’ button.
- Accept the ‘Overwrite existing certificate?’ pop-up.
- Click the Save button and save the file in a location you will remember.
- Now, you need to import the certificate to your browser (Firefox recommended).
- Select Preferences ➝ Advanced ➝ Certificates in your browser.
- Select View Certificates ➝ Import and select the certificate you had previously generated.
- Mark all the checkboxes and click OK.
- When the certificate has been imported, you have to set ZAP as the proxy which will be used to pass all the traffic going through the browser.
- Select Preferences ➝ Advanced ➝ Network tab ➝ Settings.
- Choose the ‘Manual proxy configuration:’ radio button in the Connection Settings popup.
- Insert the HTTP Proxy data: localhost / Port: 8080
- Mark the ‘Use this proxy server for all protocols’ check box and click OK.
- Your browser should now be correctly configured.
- When you go to OWASP ZAP, you will notice a ‘Sites’ button in the upper left corner.
- Go back to your Browser and open any webpage.
- Go back to OWASP ZAP and you will notice a number of websites showing up under ‘Sites’.
- At this point, you are able to see all the websites and resources that have been requested as well as the responses.
After the browser is configured to use ZAP Open Mutillidae Web App and Go to first Module A1: Injection
Here you will see the page like below
Type Username and Password and press enter
Now go to ZAP Proxy Interface and locate this request
After this is we need to select Fuzzing Variable in the request which is username in our case
Right Click the Highlighted Variable and Select Fuzz
Here Now you need to Select SQL Injection Payloads
Click Add
A new Window will Open Select Strings and Copy paste some SQL Injection Strings
After This Click Add — OK — Start Fuzzer
This will start the Fuzzing and Results will be shown
You can then Open a URL in browser and check the result or search for Syntax or Error using search option
When you Open in Browser the Sql Injection will be displayed