Skip to content

ascanrules: feat: Add specialized Blind SQL Injection Scanner#6543

Open
nir-cohe wants to merge 3 commits intomainfrom
enhance-blind-sqli-detection
Open

ascanrules: feat: Add specialized Blind SQL Injection Scanner#6543
nir-cohe wants to merge 3 commits intomainfrom
enhance-blind-sqli-detection

Conversation

@nir-cohe
Copy link

@nir-cohe nir-cohe commented Jun 27, 2025

  • Implements dedicated BlindSqlInjectionScanRule for time-based and OAST detection
  • Addresses limitations of generic SQL injection scanner for blind scenarios
  • Supports 22 time-based payloads across MySQL, PostgreSQL, MS SQL, Oracle, SQLite
  • Includes 8 OAST payloads for out-of-band detection
  • Smart attack strength management (LOW: 3, MEDIUM: 8, HIGH: 15, INSANE: 22 payloads)
  • Proper integration with ZAP's TimingUtils and OAST framework
  • Comprehensive unit tests with 19 test cases covering all scenarios

This scanner complements the existing SQL injection scanner by specifically targeting blind SQL injection scenarios where boolean logic payloads fail but time-based and OAST attacks succeed.

Overview

Briefly describe the purpose, goals, and changes or improvements made in this pull request.

Related Issues

Specify any related issues or pull requests by linking to them.

@nir-cohe
feat: Add specialized Blind SQL Injection Scanner
009afb4 
- Implements dedicated BlindSqlInjectionScanRule for time-based and OAST detection
- Addresses limitations of generic SQL injection scanner for blind scenarios
- Supports 22 time-based payloads across MySQL, PostgreSQL, MS SQL, Oracle, SQLite
- Includes 8 OAST payloads for out-of-band detection
- Smart attack strength management (LOW: 3, MEDIUM: 8, HIGH: 15, INSANE: 22 payloads)
- Proper integration with ZAP's TimingUtils and OAST framework
- Comprehensive unit tests with 19 test cases covering all scenarios
- Designed to detect vulnerabilities in apps like SasanLabs that return consistent responses

This scanner complements the existing SQL injection scanner by specifically targeting
blind SQL injection scenarios where boolean logic payloads fail but time-based
and OAST attacks succeed.
@psiinon
Copy link
Member

psiinon commented Jun 27, 2025
edited
Loading

Logo
Checkmarx One – Scan Summary & Details1f676835-edff-40b9-aa2a-2fff42ae1af1

Great job, no security vulnerabilities found in this Pull Request

@kingthorin
Copy link
Member

kingthorin commented Jun 28, 2025
edited
Loading

There's already some things planned around this and relevant to this:

nir-cohe added 2 commits June 28, 2025 06:37
@nir-cohe
fix: Resolve plugin ID conflict for BlindSqlInjectionScanRule
e983845 
- Changed plugin ID from 40029 to 40030 to avoid conflict with TraceAxdScanRule
- Updated corresponding test assertion
- All tests now passing (19 test cases)

This resolves the CI build failures caused by duplicate plugin IDs.
@nir-cohe
revert: Remove command injection changes from blind SQL injection branch
b82df36 
- Reset CommandInjectionScanRule.java to original state from main branch
- Reset CommandInjectionScanRuleUnitTest.java to original state from main branch
- Keep only blind SQL injection scanner changes in this branch
- Command injection enhancements should be in a separate PR
@nir-cohe
Copy link
Author

nir-cohe commented Jun 28, 2025

There's already some things planned around this and relevant to this:

Your call :)
Let me know which rules should be changed/ improved I will take a look there..

This was referenced Jul 1, 2025
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@nir-cohe @psiinon @kingthorin