[Owasp-leaders] Ruling out false positives from vulnerability scans

Brad Causey bradcausey at gmail.com
Sun Nov 8 23:42:44 UTC 2015

We use a combination of manual testing and developer/DBA reviews.

Of course this is dependent on your relationship with the application

Things like Blind SQLi are especially bad about being false positives
because most scanners use delay injection to determine vulnerability state.
This isn't a great method because you also just happen to be hammering the
site at the same with other requests that will impact it's performance.

In this anecdotal case, it's easy to determine if the injection made it
into the database because we can request database logs or ask the DBA to
check it out. Of course, we are again assuming they are trustworthy and

Barring those options, we'll manually reproduce the test using a proxy tool
to see if we can replicate the issue.

All of this can be rather tedious, so we only do it for higher risk issues.

I hope this helps!

-Brad Causey

"Si vis pacem, para bellum"

On Sun, Nov 8, 2015 at 5:37 PM, Laura Guazzelli <laura.guazzelli at owasp.org>

> Hello,
> I am very curious about either the methodology and/or recommendations from
> leaders on how to separate false positives from real positives from
> vulnerability scans.
> Thanks,
> Laura Guazzelli
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151108/66dc8a34/attachment.html>

More information about the OWASP-Leaders mailing list