How to deal with false positive buffer overflow ? (400 and 500 error code)

[Bastien Maurice]

Hello guys,

first i would thank you for your amazing tool :)

I use Owasp ZAP in Gitlab pipeline. In ZAP report, i get some buffer overflow. Some of these are real and i fixed them. But like in screenshot, you can see that i have a sort of buffer overflow via the 500 internal error grab by ZAP. But in reality, if i try the same request via openapi Swagger in my browser or by hand with curl with same parameters, i got a different result with 400 bad request. You can see in second screenshot that i did not respect the pattern regex, which is the aimed result.

Any idea to fix my problem ?

Best regards,

Bastien

[kingthorin+owaspzap]

Based on the description and details in the screenshots it seems that when ZAP send a ridiculous payload your app responded 500 and closed the connection (vs keep-alive). Which the scan rule interpreted as inability to handle the input.

The scan rule is here if you want to have a look at the logic: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/BufferOverflowScanRule.java

[Bastien Maurice]

Hey Kingthorin,

thanks for you quick answer.

I finally found the problem which was at my application code level and not in ZAP tool.

Have a good day,

Bastien

[kingthorin+owaspzap]

Great, thanks for letting us know.