Verifying and Exploiting Findings

Vulnerability verification prevents false positive reports. When ZAP reports SQL injection, manually verify the finding before reporting. Use the Request Editor to resend the exact request that triggered the alert. Confirm that injection payloads actually influence application behavior. Try variations of the successful payload to understand vulnerability boundaries.

Safe exploitation demonstrates impact without damaging systems. For authorized testing, extract non-sensitive data to prove vulnerability. Queries like "SELECT @@version" or "SELECT current_database()" demonstrate access without touching actual data. Document the exact payload and response proving SQL injection. This evidence supports remediation efforts without risking data exposure.

Understanding injection context improves exploitation. Determine where in the SQL query your input appears—WHERE clauses, INSERT statements, UPDATE commands, or stored procedures each require different techniques. Error messages often reveal query structure. Use this knowledge to craft effective payloads that work within query constraints while achieving testing objectives.