hello,

The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular web application security testing tools. It is made available for free as an open source project, and is contributed to and maintained by OWASP. The Open Web Application Security Project (OWASP) is a vendor-neutral, non-profit group of volunteers dedicated to making web applications more secure. The OWASP ZAP tool can be used during web application development by web developers or by experienced security experts during penetration tests to assess web applications for vulnerabilities.

OWASP ZAP Overview The OWASP Zed Attack Proxy is a Java-based tool that comes with an intuitive graphical interface, allowing web application security testers to perform fuzzing, scripting, spidering, and proxying in order to attack web apps. Being a Java tool means that it can be made to run on most operating systems that support Java. ZAP can be found by default within the Kali Linux Penetration Testing Operating System, or it can be download from here and run on OSs that have Java installed. The OWASP ZAP proxy borrows heavily in GUI appearance from the Paros Proxy Lightweight Web Application security testing tool. Kindly see this article for a detailed look at the Paros Proxy tool.

Launching the OWASP Zed Attack Proxy OWASP ZAP is found by default within the latest Kali Linux 2.0 Penetration Testing Linux distribution. It can be launched by navigating to the “Applications” menu and selecting the “Web Application Assessment” option. A list will appear showing the different tools used for web app security testing. Here we click on the OWASP ZAP tool and wait for it to launch. This can be seen below:

I am on Linux Mint and am using Firefox 76.0

I have tried:

   Restarting Firefox
   Restarting my computer
   Resetting Firefox
   Running `firefox --new-instance --ProfileManager`
   Uninstalling and reinstalling Firefox
   Deleting all Firefox files and reinstalling
   Rewinding my entire computer using Timeshift 

So far, nothing has worked.

I'm using ZAP 2.6, Standard mode. I have white-listed all the parameter inputs. Running Active Scan, I get a SQL Injection Alert that I just cannot understand: When GETing the original page https://localhost:8443/rcrainfoweb/action/modules/br/interstateshiprecv/search , I get my standard error page, a blank html page, as expected. This page requires another missing parameter in order to run and return data. When GETing the page using the attack "query OR 1=1 -- " that is described in "Other Info" as: "The page results were successfully manipulated using the boolean conditions [query AND 1=1 -- ] and [query OR 1=1 -- ] The parameter value being modified was NOT stripped from the HTML output for the purposes of the comparison Data was NOT returned for the original parameter. The vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter" The origianal URL and both of the URL copied from the alert (Attack 1 below) and the secondary attack (Attack 2 below) yield the exact same standard error page, as expected. There is no difference between all three of the html error pages returned. See the attached html error page here => OR 1=1.txt Attack 1: https://localhost:8443/rcrainfoweb/action/modules/br/interstateshiprecv/search?query=query+AND+1%3D1+--+ Attack 2: https://localhost:8443/rcrainfoweb/action/modules/br/interstateshiprecv/search?query=query+OR+1%3D1+--+