mark alert as false positive through code

[Anis Akbar Patel]

Hi Team,

I am running a scan  in which i get few alerts generated. after analyzing those alerts i conclude that few of the alerts are false positive and now i dont want them to be appeared in alert report generated after the scan. 

So we have a option where we can mark the alert as false positive by using below function of alert : 

$UpdateAlert_JSON= $($zap_url) + "/JSON/alert/updateAlertsConfidence/?" + "apikey=" + $($zap_key) + "&ids=" + $($item_ref.id) + "&confidenceId=0"

Could please help me what value to be used for ids field from the alert data which i have as below 

{
        "sourceid":  "1",
        "other":  "The query time is controllable using parameter value [case randomblob(10000000) when not null then 1 else 1 end ], which caused the request to take [138] milliseconds, parameter value [case randomblob(100000000) when not null then 1 else 1 end ], which caused the request to take [2,307] milliseconds, when the original unmodified query with value [Model] took [127] milliseconds.",
        "method":  "POST",
        "evidence":  "The query time is controllable using parameter value [case randomblob(10000000) when not null then 1 else 1 end ], which caused the request to take [138] milliseconds, parameter value [case randomblob(100000000) when not null then 1 else 1 end ], which caused the request to take [2,307] milliseconds, when the original unmodified query with value [Model] took [127] milliseconds.",
        "pluginId":  "40024",
        "cweid":  "89",
        "confidence":  "Medium",
        "wascid":  "19",
        "description":  "SQL injection may be possible",
        "messageId":  "57138",
        "inputVector":  "json",
        "url":  <<API URL>>,
        "tags":  {
                     "OWASP_2021_A03":  "https://owasp.org/Top10/A03_2021-Injection/",
                     "WSTG-v42-INPV-05":  "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection",
                     "OWASP_2017_A01":  "https://owasp.org/www-project-top-ten/2017/A1_2017-Injection.html"
                 },
        "reference":  "https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html",
        "solution":  "Do not trust client side input, even if there is client side validation in place. \nIn general, type check all data on the server side.\nIf the application uses JDBC, use PreparedStatement or CallableStatement, with parameters passed by \u0027?\u0027\nIf the application uses ASP, use ADO Command Objects with strong type checking and parameterized queries.\nIf database Stored Procedures can be used, use them.\nDo *not* concatenate strings into queries in the stored procedure, or use \u0027exec\u0027, \u0027exec immediate\u0027, or equivalent functionality!\nDo not create dynamic SQL queries using simple string concatenation.\nEscape all data received from the client.\nApply an \u0027allow list\u0027 of allowed characters, or a \u0027deny list\u0027 of disallowed characters in user input.\nApply the privilege of least privilege by using the least privileged database user possible.\nIn particular, avoid using the \u0027sa\u0027 or \u0027db-owner\u0027 database users. This does not eliminate SQL injection, but minimizes its impact.\nGrant the minimum database access that is necessary for the application.",
        "alert":  "SQL Injection - SQLite",
        "param":  "Type",
        "attack":  "case randomblob(10000000) when not null then 1 else 1 end ",
        "name":  "SQL Injection - SQLite",
        "risk":  "High",
        "id":  "888",
        "alertRef":  "40024"
    }

thanks,

Anis Patel

[psiinon]

Hi Anis,

The alert Ids are returned as "id" in the alert data, so in the case you have given the id should be 888.

Note that you can also use Allert Filters to automatically flag alerts as false positives - see https://www.zaproxy.org/faq/how-do-i-handle-a-false-positive/

Cheers,

Simon