False positiv SQL injection alerts with changing Header (request-id, timestamp)?

[Nicolò Mendola]

Hello everyone,

We have a problem where our zaproxy run has identified various SQL injections. Our application responds to the attack attempt with a Bad Request (HTTP 400). For every request to our application, a request-id is generated, which can be seen in the X-Request-Id header and changes with each request. We are using the following Docker image: zaproxy/zap-bare:latest.

An example URL looks like this:

https://example.domain.net/endpoint/pageFavoriteAddInternal/page/-U9DEcUIQzm4v6Zph6Annw?versionState=published&editmode=false AND 1=1 --&_csrf=dPveI88G-O3HVaN48fcAlEwOzKdWVlfX9VIRgJhXCMj9S2flhDog

Can you tell us what we can do in our case? We believe these are false positives.

[Nicolò Mendola]

Screenhot from the Report:

[Simon Bennetts]

Hiya,

Yes, they could well be false positives, but we cant know for sure as we dont have access to your app.

FYI we do know that the SQL Injection rule is prone to False Positives - we are working opn improving that as we speak :)

Cheers,

Simon

[Nicolò Mendola]

Hey Simon, 

thank you very much for your reply. I think we will temporarily deactivate the SQL Injection Test until the improvements are complete. 

How we know, when the improvements are done and published? 

Best Regards

--
ZAP by Checkmarx: https://www.zaproxy.org/
---
You received this message because you are subscribed to a topic in the Google Groups "ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/rNlb20JrOlA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/zaproxy-users/d303b0ff-6506-4f82-9d12-9b17a9bab413n%40googlegroups.com.

[Olindo Pindaro]

I implemented in java a filter at instance level exclude  form report false positive, but I produce a report by myself. 

[Simon Bennetts]

We will post to this group when the new SQL Injection scan rule improvements are available.

Cheers,

Simon

[James L]

Hi Simon and all,

Might be slightly OT... Ive been having these rules and a few others trigger on block pages. I think it is flagging because the block page has a reference number that changes with each block. Is there a way to alert filter globally so that if the block page shows up in evidence it gets marked as FP? 

I think I can do this with alert filters but  I would have to put an alert filter on every rule that triggers the block page. is it possible to apply to all alerts? Is there a better way to do this?

[Simon Bennetts]

Hi James,

What do you mean by a "block page"? Is that like a custom 403?

If so try out Custom Pages: https://www.zaproxy.org/docs/desktop/start/features/custompages/

Let us knopw how you get on :)

Cheers,

Simon

[Nicolò Mendola]

Hey Simon, 

any News about the updated SQL Injection Tests? 

PS: Happy Holidays :) 

Best Regards 

--

ZAP by Checkmarx: https://www.zaproxy.org/
---
You received this message because you are subscribed to a topic in the Google Groups "ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/rNlb20JrOlA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/zaproxy-users/cac5a228-6353-482e-8f0b-46de6a7776b2n%40googlegroups.com.