[OWASP-Security101] Validating a scanner's results

Greg Knaddison greg.knaddison at acquia.com
Tue Apr 10 18:50:52 UTC 2012

Sharuth's advice seems good to me. I'd only add that if the scanner is
provided by a commercial organization you could ask them for more
details. False positives are too common in these tools and only by
asking about them can we motivate vendors to reduce them.

If it's an open source tool then contact that tool's community (if
there is one). They'll probably be interested to have a false positive
case to help improve their tool.


On Tue, Apr 10, 2012 at 11:13 AM, us1903 <sharu89 at gmail.com> wrote:
> There are a few approaches to determine if this is a false positive. First
> one being, to check the source code and see if parametrized queries are
> used. If not, then chances are it might be SQL injection. Most of the
> scanners find SQL injection based on change in responses i.e, it gives a
> true condition and checks the response; it gives a false condition and
> checks the response. If there is a difference in the responses then it
> might report it as SQLi. The second way to eliminate false positive is to
> check if the value of the parameter is interacting with the database at
> all.
> One another approach but a time consuming one is when you do not have
> access to the source code. In this case, if you are sure that there is no
> input validation then you should be able to confirm SQLi using various
> vectors. The simplest one being "<param_value> OR 1=1" for true condition
> and "<param_value> OR 1=2" for false condition. Hope this helps.
> --
> Sharath Unni

Director Security Services | +1-720-310-5623
Skype: greg.knaddison | http://twitter.com/greggleshttp://acquia.com

More information about the Security101 mailing list