[OWASP-Security101] Validating a scanner's results

dinis cruz dinis.cruz at owasp.org
Thu Apr 5 17:14:41 UTC 2012


well, you could be missing something on your test.

That is one of the reasons why my approach with the O2
platform<http://o2platform.wordpress.com>is to create unit/integration
tests for the findings. Not only I get a
repeatable test, but I also have a way to distribute those tests.

In this case, something is broken. And it looks like it is either your test
or Acunetix :)

Question: are you able to run just that test in Acunetix? If so , put a web
proxy in the middle and see if you can detect what is making that scanner
trigger the SQL Injection vuln.

Btw, do you have access to the App's source code? If so, you should be able
to also confirm (or not) if that vulnerability actually exists.

Dinis Cruz

On 5 April 2012 16:19, Patrick Laverty <patrick_laverty at brown.edu> wrote:

> On Thu, Apr 5, 2012 at 11:09 AM, dinis cruz <dinis.cruz at owasp.org> wrote:
> > What type of scanner was it?
> >
> > What kind of result did you get?
>
> Acunetix. The report gives the string it says was a positive hit. It
> says which variable triggered the positive result. However when I
> tried it, it didn't seem to work.
>


More information about the Security101 mailing list