SQL Injection - SQLite False Positive

123 views
Skip to first unread message

Kathy

unread,
Mar 27, 2024, 1:37:27 PM3/27/24
to ZAP User Group
Hi - I am new to ZAP. I set my automatic session Context settings to run only for SQL Server but it is returning a false positive for SQLite as well. Can someone help me understand why this is happening? Thank you!

thc...@gmail.com

unread,
Mar 28, 2024, 3:35:16 AM3/28/24
to zaprox...@googlegroups.com
Hi,

Did you start the scan with the context? Which rule is raising the
alert? (Might be the generic one.)

Best regards.

Kathy

unread,
Mar 29, 2024, 3:33:19 AM3/29/24
to ZAP User Group
Yes I started scan with the context. I get the error with and without the context. Raising  SQL Injection - SQLite False Positive (see attached).

Why would I get this alert if we do not use SQLite?

Thank you!
ZAP issue.docx

Simon Bennetts

unread,
Apr 2, 2024, 12:54:42 PM4/2/24
to ZAP User Group
It says "SQL injection may be possible", rather than it _is_ possible.
If you're app does not use SQLite then configure ZAP to ignore it via the context.

Cheers,

Simon
Reply all
Reply to author
Forward
0 new messages