[OWASP-Security101] Validating a scanner's results

Patrick Laverty patrick_laverty at brown.edu
Thu Apr 5 11:06:14 UTC 2012


I have a scanner that I use to scan apps and it comes back with
results (obviously). What I want to do is validate/re-test the
positive results. For example, sometimes the scanner will tell me that
a page is vulnerable to SQL Injection. So then I go and test it with
the few ways that I know to inject a page and it'll come back as
blocking the injection.

So at that point, how do I know that it isn't a false positive or it's
just that I don't know the right way? It feels like I could know 99
different ways to inject a page but if I don't know #100, then I won't
find it and I'll think it's a false positive. How do people deal with
that?


More information about the Security101 mailing list