[OWASP-Security101] Security101 Digest, Vol 3, Issue 2

Thomas Stiehm thomas.stiehm at gmail.com
Sun Apr 8 21:57:49 UTC 2012

Almost all active and passive web scanners will tell you either in the
log or detailed report what it did to trigger a result as part of the
evidence for the vulnerability. You should be able to copy and paste
the URL into a browser location bar and see the result, i.e. the
realized vulnerability. Take into account that you might need to build
up some specific application state in order to see the issue as it
might have to do with specific workflow or data setup.

Another person suggested looking at the application source code and I
agree that is another good way to determine if the result if real or a
false positive.


On Fri, Apr 6, 2012 at 8:00 AM,  <security101-request at lists.owasp.org> wrote:>
> I have a scanner that I use to scan apps and it comes back with
> results (obviously). What I want to do is validate/re-test the
> positive results. For example, sometimes the scanner will tell me that
> a page is vulnerable to SQL Injection. So then I go and test it with
> the few ways that I know to inject a page and it'll come back as
> blocking the injection.
> So at that point, how do I know that it isn't a false positive or it's
> just that I don't know the right way? It feels like I could know 99
> different ways to inject a page but if I don't know #100, then I won't
> find it and I'll think it's a false positive. How do people deal with
> that?

More information about the Security101 mailing list