[OWASP-Security101] Validating a scanner's results

dinis cruz dinis.cruz at owasp.org
Thu Apr 5 15:09:21 UTC 2012


What type of scanner was it?

What kind of result did you get?

Dinis Cruz

On 5 April 2012 12:06, Patrick Laverty <patrick_laverty at brown.edu> wrote:

> I have a scanner that I use to scan apps and it comes back with
> results (obviously). What I want to do is validate/re-test the
> positive results. For example, sometimes the scanner will tell me that
> a page is vulnerable to SQL Injection. So then I go and test it with
> the few ways that I know to inject a page and it'll come back as
> blocking the injection.
>
> So at that point, how do I know that it isn't a false positive or it's
> just that I don't know the right way? It feels like I could know 99
> different ways to inject a page but if I don't know #100, then I won't
> find it and I'll think it's a false positive. How do people deal with
> that?
> _______________________________________________
> Security101 mailing list
> Security101 at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/security101
> List Run By OWASP
> List Admin: Michael.Coates at owasp.org
>


More information about the Security101 mailing list