Removing false positives

[Demetri]

Hi,

we have this alert Backup File Disclosure appearing in many urls ( 977 of them).  This is a false positive.

Is there a way to quickly mark all of these as false positives ? 

Instead of opening each url where issue was found and selecting Confidence-->False Positive ? 

Alternatively, can it be removed completely ? I tried to delete the whole group ( Backup File Disclosure ) but it seems to come back when i reopen the session and generate html report.

Please advise if you know a better way to do this.

Thanks ,

Demetri 

[kingthorin+owaspzap]

There is a known delete issue that you might be hitting. https://github.com/zaproxy/zaproxy/issues/2593

Instead of trying to do the whole set try shift clicking or ctrl clicking alerts and doing batches, see if that works for you.

Alternatively you could probably create a standalone script to adjust the confidence value of the alerts (walk the tree, set the value(s)).

[thc...@gmail.com]

Hi.

Could you provide more details on the false positives? What's the status
code for the (non-existing) backup files?

Best regards.

> <https://lh3.googleusercontent.com/-T10tuDYaSJI/WhMEgPT4-nI/AAAAAAAAACE/uVJu5-9wcC8GuSgVRc0gXJSextgSqb3EACLcBGAs/s1600/2017-11-20_1131.png>
>
>
> Thanks ,
>
> Demetri
>

[thc...@gmail.com]

There's also alert filters:
https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAlertFiltersAlertFilter

(Although those apply for new alerts only.)

Best regards.

[Demetri]

Hi ,

thanks for responding.. sorry for taking ages to write back!

the responses coming back are all 403s

for example 

req: GET https://ncr-login.lab.<..>.<...>.com/auth%20-%20Copy%20(3) HTTP/1.1

resp: HTTP/1.1 403 Forbidden

thanks,

Demetri 

[Demetri]

Hi ,

thanks for responding.. sorry for taking ages to write back!

So deleting in parts, as you suggested, seems to do the trick- thanks for the suggestion. A bit cumbersome, but at least I can have them removed.

I guess the fix for the will be in ZAP2.7..

thanks,

demetri