Re: Sql Injection alert markes as false positive is not working

96 views
Skip to first unread message
Message has been deleted

Simon Bennetts

unread,
Oct 2, 2023, 9:09:09 AM10/2/23
to ZAP User Group
Are you getting exactly the same details each time?

How did you create the Alert Filter?
By hand or via the desktop "Create Alert Filter.." right click option?
That option gives you the ability to test the filter to make sure it works for you.
Thats the recommended approach.

Cheers,

Simon

On Monday, 2 October 2023 at 10:40:10 UTC+2 fgar...@gmail.com wrote:
Hi all, 

I have this alert in my owasp zap ->


I have already checked it , and it is a false positive, but im trying to ignore it with this filter in the config.xml but is not working for me ->

<filter>
                <ruleid>40018</ruleid>
                <newrisk>-1</newrisk>
                <url>http://16.17.103.40:8081/sa/sa/updateUser?userName=user1+AND+1%3D1+--+&amp;password=pass1&amp;userDescription=desc2</url>
                <urlregex>false</urlregex>
                <param>userName</param>
                <paramregex>false</paramregex>
                <attack>user1 AND 1=1 --</attack>
                <attackregex>false</attackregex>
                <evidence/>
                <evidenceregex>false</evidenceregex>
                <methods>
                    <method>POST</method>
                </methods>
                <enabled>true</enabled>
            </filter>


Can somebody help me? another way to ignore it, please?


Thanks, regards

Fernando Garcia Garcia

unread,
Oct 2, 2023, 10:08:13 AM10/2/23
to ZAP User Group
I have done by hand and via desktop, but the result is the same... Can i exclude the url totally?

Thanks

Simon Bennetts

unread,
Oct 2, 2023, 10:12:46 AM10/2/23
to ZAP User Group
What happens when you test the filter in the desktop?
If it appears to work then maybe you are not using the filter correctly.
How are you using it?

Cheers,

Simon

Fernando Garcia Garcia

unread,
Oct 2, 2023, 10:47:54 AM10/2/23
to ZAP User Group
The alert appears again in the desktop, is true. What I was trying to do is go to alerts, right click on the alert, and mark it as positive, in that case by clicking if it is excluded. I that case, would I be saved as a permanent false positive?


Thanks, regards

Simon Bennetts

unread,
Oct 2, 2023, 12:03:05 PM10/2/23
to ZAP User Group
If you flag an alert as a false positive then you are just flagging that instance, not any future instances.
If you want to make sure that future instances are automatically flagged as false positives then you need to create an Alert Filter and enable it before the new alerts are raised.
If you are creating an Alert Filter and its not applying then we need to know exactly what you are doing and in what order.
It _could_ be a bug in ZAP, but its more likely to be something you are you are doing.

Cheers,

Simon

Fernando Garcia Garcia

unread,
Oct 3, 2023, 2:06:15 AM10/3/23
to ZAP User Group
Okey, then let me explain my steps ->

My ZAP Version is 2.13.0 , i found the alert that i said before ->

URL http://**.**.**.**:8081/sa/sa/updateUser?userName=user1+AND+1%3D1+--+&password=pass1&userDescription=desc2

Method POST
Parameter userName
Attack user1 AND 1=1 --

Then, now i am trying to handle the alert as false positive by the UI -> Go to the alert , right button -> Create alert filter ..



Once the alert has been saved, and restart zap, and rerunning the test , the alert continues there, as sql injection :(

Capture.JPG

Simon Bennetts

unread,
Oct 3, 2023, 3:42:02 AM10/3/23
to ZAP User Group
OK, so chances are that there are some subtle differences that you have not spotted.
Or there could be a bug in ZAP of course, so lets do some more testing.

When you create the initial Alert Filter use the "Test Filter" option - does it apply to any alerts?
If not then thats probably a bug in ZAP.

After rerunning the test look in Options / Global Alert Filters - is your Alert Filter present and enabled?
If not then its something you are doing wrong.

If it is there then open it and use the "Test Filter" option again - does it apply to the new alert?
If not try clearing the text fields one by one and testing the filter each time. Which one do you need to clear in order for it to work?

Cheers,

Simon

Fernando Garcia Garcia

unread,
Oct 3, 2023, 3:56:41 AM10/3/23
to ZAP User Group
When the alert has been created, it is present in the Global alert filters, and i was tyring to delete and paste again the params and url, and the "test" option is not aplying to the exist alert, let me paste a pic with the data .
Capture.JPG

Simon Bennetts

unread,
Oct 3, 2023, 3:59:01 AM10/3/23
to ZAP User Group
Did you manually set the "URL is Regex?" and "Attack is Regex?" checkboxes?

Cheers,

Simon

Fernando Garcia Garcia

unread,
Oct 3, 2023, 4:02:17 AM10/3/23
to ZAP User Group
Sorry, I activated the regex checkbox accidentally, without it enabled the operation remains the same

Simon Bennetts

unread,
Oct 3, 2023, 4:05:29 AM10/3/23
to ZAP User Group
OK, so clear each text box in turn and "Test" - that will tell us which field is at fault.
We really want to know the full set of fields that are not working, so ideally:
  1. Remove all text fields - hopefully it should now work
  2. Add the text fields back one at a time
  3. Test each one, if one fails then dont re-add it
Which fields dont work?

Cheers,

Simon

Fernando Garcia Garcia

unread,
Oct 3, 2023, 4:14:35 AM10/3/23
to ZAP User Group
Okey, testing the text fieldes, ihave seen the problem, it was located in the "Attack" because we have a blank space after the "-"

But, i have saved the alert, restart the owasp zap, and after Active Scan, the alert still appears as sql injection, until i enter in the global alert filter page, add the "blank space" in the attack, and after that, the alert applies ->
Capture.JPG

Simon Bennetts

unread,
Oct 3, 2023, 4:19:38 AM10/3/23
to ZAP User Group
Oh, interesting :)
So ZAP filled in the "Attack" field, but it only matched after you manually added a blank space?
Was that after the first or second "-"?
Can you see that space present in the initial alert?

Cheers,

Simon

Fernando Garcia Garcia

unread,
Oct 3, 2023, 4:27:23 AM10/3/23
to ZAP User Group
The blan space is after the second "-", and no, i can´t see the blank space in the initial altert when i opened the zap again, maybe there is a problem saving this kind of characters :(

thc...@gmail.com

unread,
Oct 3, 2023, 4:43:17 AM10/3/23
to zaprox...@googlegroups.com
Maybe that's a null byte. Could you Base64 or URL encode the original
value and share it?

Best regards.
>>>> 1. Remove all text fields - hopefully it should now work
>>>> 2. Add the text fields back one at a time
>>>> 3. Test each one, if one fails then dont re-add it

Fernando Garcia Garcia

unread,
Oct 3, 2023, 4:49:19 AM10/3/23
to ZAP User Group
The HTML xpath code is the following -> <td width="80%">user1 AND 1=1 -- </td>

Decoding the attack string , i have this -> user1AND1=1--

Fernando Garcia Garcia

unread,
Oct 3, 2023, 5:29:01 AM10/3/23
to ZAP User Group
Hi again, 

Dont´worry, i can create a regex expression for this attack, and handle the alert in that way :)

Thanks a lot, regards

Simon Bennetts

unread,
Oct 3, 2023, 6:58:26 AM10/3/23
to ZAP User Group
OK.
We've tried to reproduce the problem you are seeing locally but without success :/
If you can help us reproduce it then we'll do our best to fix it.

Cheers,

Simon
Reply all
Reply to author
Forward
0 new messages