API scan report shows different findings in 2 runs done on the same day within a few minutes
YanFangJi opened this issue · comments
Describe the bug
We ran ZAP API scan against our service, the first run shows high severity alert SQL Injection like in below screenshot. Then we triggered another scan with the same parameters, the SQL Injection alert disappeared from the report.
Because we added scan hooks to log the request/response details, so I searched the vulnerable URL in the log, in the 1st run, the response is like below:
---------------------------------ZAP Response Init=2
HTTP/1.1 400
Date: Thu, 01 Feb 2024 05:00:17 GMT
Connection: keep-alive
Server-Timing: intid;desc=2385b75d275db33d
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Strict-Transport-Security: max-age=15724800; includeSubDomains
X-Frame-Options: DENY
content-length: 23
---------------------------------ZAP Response Body
Custom Schema is empty!
---------------------------------ZAP Response End
Then I successfully found the exact same URL in the 2nd run log, it has the same response with the 1st run:
---------------------------------ZAP Response Init=2
HTTP/1.1 400
Date: Thu, 01 Feb 2024 05:07:43 GMT
Connection: keep-alive
Server-Timing: intid;desc=9c54adf1b50a4665
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Strict-Transport-Security: max-age=15724800; includeSubDomains
X-Frame-Options: DENY
content-length: 23
---------------------------------ZAP Response Body
Custom Schema is empty!
---------------------------------ZAP Response End
Why different alert was reported with the same request/response within a few minutes? The result should be stable.
Steps to reproduce the behavior
- Trigger the same API scan several times;
- Compared the scan reports
Expected behavior
The scan result should be stable among different runs.
Software versions
ZAP Version 2.14.0
Screenshots
No response
Errors from the zap.log file
No response
Additional context
I also compared the ZAP standard log, it's SQL Injection [40018] was triggered in the 1st run.
1st run ZAP log:
WARN-NEW: SQL Injection [40018] x 4
2nd run ZAP log:
PASS: SQL Injection [40018]
Would you like to help fix this issue?
- Yes
Hi Simon @psiinon , do you know if this is a known issue? Thanks very much for the reply!
Please ask questions on the ZAP User Group: https://groups.google.com/group/zaproxy-users
Hi Simon @psiinon , I'm sorry for the confusion, but from the end user's perspective, this is a bug, not a question.
Thread in ZAP User Group: https://groups.google.com/g/zaproxy-users/c/aHJSNcgz69I
Hi Simon @psiinon , I'm sorry for the confusion, but from the end user's perspective, this is a bug, not a question.
I beg to differ, as per my reply 😁 ZAP is used by a wide variety of people. Pentesters want to see potential vulnerabilities like this, even if you dont.
Maybe this has something to do with the requests made by the scan rules? One way to debug this could be to compare the list of requests made in both scans.