I am trying to find the SQL injection vulnerability in DVWA with OWASP ZAP. After clicking on the page, I have a small site map:
I ran Active scan, Spider and AJAX spider in the
GET:sqli node. As you can see in the screenshot above, the SQL injection vulnerability was not found. Nor was the action of the form of
Only if i by hand submit the form, the form action is shown in the Sites tab:
And only if I run Active scan again, the SQL injection vulnerability is detected.
Is there any way to force spider / active scanning to submit forms and detect their vulnerabilities automatically?