zaproxy · psiinon · Jul 15, 2025 · Jul 4, 2025
diff --git a/addOns/ascanrules/CHANGELOG.md b/addOns/ascanrules/CHANGELOG.md
@@ -7,6 +7,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ### Changed
 - Maintenance changes.
 - Depends on an updated version of the Common Library add-on.
+- The SQL Injection - MsSQL scan rule and alerts have been renamed to clarify that they're time based (Issue 7341).
 
 ### Added
 - Rules (as applicable) have been tagged in relation to HIPAA and PCI DSS.

diff --git a/...ascanrules/SqlInjectionMsSqlScanRule.java → ...ules/SqlInjectionMsSqlTimingScanRule.java b/...ascanrules/SqlInjectionMsSqlScanRule.java → ...ules/SqlInjectionMsSqlTimingScanRule.java
@@ -44,17 +44,17 @@
 import org.zaproxy.zap.model.TechSet;
 
 /**
- * The SqlInjectionMsSqlScanRule identifies MsSQL specific SQL Injection vulnerabilities using MsSQL
- * specific syntax. If it doesn't use MsSQL specific syntax, it belongs in the generic SQLInjection
- * class! Note the ordering of checks, for efficiency is : 1) Error based (N/A) 2) Boolean Based
- * (N/A - uses standard syntax) 3) UNION based (N/A - uses standard syntax) 4) Stacked (N/A - uses
- * standard syntax) 5) Blind/Time Based (Yes - uses specific syntax)
+ * This scan rule identifies MsSQL specific SQL Injection vulnerabilities using MsSQL specific
+ * syntax. If it doesn't use MsSQL specific syntax, it belongs in the generic SQLInjection class!
+ * Note the ordering of checks, for efficiency is : 1) Error based (N/A) 2) Boolean Based (N/A -
+ * uses standard syntax) 3) UNION based (N/A - uses standard syntax) 4) Stacked (N/A - uses standard
+ * syntax) 5) Blind/Time Based (Yes - uses specific syntax)
  *
  * <p>See the following for some great MySQL specific tricks which could be integrated here
  * http://www.websec.ca/kb/sql_injection#MSSQL_Stacked_Queries
  * http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet
  */
-public class SqlInjectionMsSqlScanRule extends AbstractAppParamPlugin
+public class SqlInjectionMsSqlTimingScanRule extends AbstractAppParamPlugin
         implements CommonActiveScanRuleInfo {
 
     /** MSSQL one-line comment */
@@ -134,7 +134,8 @@ public class SqlInjectionMsSqlScanRule extends AbstractAppParamPlugin
     private static final double TIME_SLOPE_ERROR_RANGE = 0.30;
 
     /** for logging. */
-    private static final Logger LOGGER = LogManager.getLogger(SqlInjectionMsSqlScanRule.class);
+    private static final Logger LOGGER =
+            LogManager.getLogger(SqlInjectionMsSqlTimingScanRule.class);
 
     private static final Map<String, String> ALERT_TAGS;
 

diff --git a/...ain/javahelp/org/zaproxy/zap/extension/ascanrules/resources/help/contents/ascanrules.html b/...ain/javahelp/org/zaproxy/zap/extension/ascanrules/resources/help/contents/ascanrules.html
@@ -365,10 +365,10 @@ <H2 id="id-40020">SQL Injection - Hypersonic (Time Based)</H2>
 <br>
 Alert ID: <a href="https://www.zaproxy.org/docs/alerts/40020/">40020</a>.
 
-<H2 id="id-40027">SQL Injection - MsSQL</H2>
+<H2 id="id-40027">SQL Injection - MsSQL (Time Based)</H2>
 This active scan rule attempts to inject MsSQL specific sleep commands into parameter values and analyzes the server's response time to see if the sleep is effectively executed on the server (indicating a successful SQL injection attack).
 <p>
-Latest code: <a href="https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMsSqlScanRule.java">SqlInjectionMsSqlScanRule.java</a>
+Latest code: <a href="https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMsSqlTimingScanRule.java">SqlInjectionMsSqlTimingScanRule.java</a>
 <br>
 Alert ID: <a href="https://www.zaproxy.org/docs/alerts/40027/">40027</a>.
 

diff --git a/...les/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages.properties b/...les/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages.properties
@@ -182,7 +182,7 @@ ascanrules.sqlinjection.authbypass.name = SQL Injection - Authentication Bypass
 ascanrules.sqlinjection.desc = SQL injection may be possible.
 ascanrules.sqlinjection.hypersonic.name = SQL Injection - Hypersonic SQL
 ascanrules.sqlinjection.mssql.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds.
-ascanrules.sqlinjection.mssql.name = SQL Injection - MsSQL
+ascanrules.sqlinjection.mssql.name = SQL Injection - MsSQL (Time Based)
 ascanrules.sqlinjection.mysql.name = SQL Injection - MySQL
 ascanrules.sqlinjection.name = SQL Injection
 ascanrules.sqlinjection.oracle.name = SQL Injection - Oracle

diff --git a/...es/SqlInjectionMsSqlScanRuleUnitTest.java → ...InjectionMsSqlTimingScanRuleUnitTest.java b/...es/SqlInjectionMsSqlScanRuleUnitTest.java → ...InjectionMsSqlTimingScanRuleUnitTest.java
@@ -38,12 +38,13 @@
 import org.zaproxy.zap.model.TechSet;
 import org.zaproxy.zap.testutils.NanoServerHandler;
 
-/** Unit test for {@link SqlInjectionMsSqlScanRule}. */
-class SqlInjectionMsSqlScanRuleUnitTest extends ActiveScannerTest<SqlInjectionMsSqlScanRule> {
+/** Unit test for {@link SqlInjectionMsSqlTimingScanRule}. */
+class SqlInjectionMsSqlTimingScanRuleUnitTest
+        extends ActiveScannerTest<SqlInjectionMsSqlTimingScanRule> {
 
     @Override
-    protected SqlInjectionMsSqlScanRule createScanner() {
-        return new SqlInjectionMsSqlScanRule();
+    protected SqlInjectionMsSqlTimingScanRule createScanner() {
+        return new SqlInjectionMsSqlTimingScanRule();
     }
 
     @Test