[OWASP-Security101] Validating a scanner's results

Jim Manico jim.manico at owasp.org
Thu Apr 5 17:27:10 UTC 2012

Can you look at the source code and see how the query in being built in 
the application?

If the query is not parametrized, it's very likely that that code IS 
vulnerable to sql injection.


Jim Manico

Connections Committee Chair
Cheatsheet Series Product Manager
OWASP Podcast Producer/Host

jim at owasp.org

> I have a scanner that I use to scan apps and it comes back with
> results (obviously). What I want to do is validate/re-test the
> positive results. For example, sometimes the scanner will tell me that
> a page is vulnerable to SQL Injection. So then I go and test it with
> the few ways that I know to inject a page and it'll come back as
> blocking the injection.
> So at that point, how do I know that it isn't a false positive or it's
> just that I don't know the right way? It feels like I could know 99
> different ways to inject a page but if I don't know #100, then I won't
> find it and I'll think it's a false positive. How do people deal with
> that?
> _______________________________________________
> Security101 mailing list
> Security101 at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/security101
> List Run By OWASP
> List Admin: Michael.Coates at owasp.org

More information about the Security101 mailing list