zaproxy: False positive SQL injection alerts

ZAP issues a false positive SQL injection alert for the followng response (I have replaced some real values with ‘PRIVATE’ here due to security issues):

HTTP/1.1 200
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Set-Cookie: JSESSIONID=PRIVATE; Path=/PRIVATE; HttpOnly
Cache-Control: no-cache
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 5792
Date: Tue, 17 Jul 2018 08:59:39 GMT

In the request body html, our application is printing an error -

head>
	<title>PRIVATE- Error Page</title>
	
<meta http-equiv="Content-Type" content="text/html"/>

and so on

Does ZAP expect some specific response code that is not 200 ?

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Comments: 26 (13 by maintainers)

Most upvoted comments

Yeah, if an SQL injection attack causes the app to return an error page then I’d definitely think that should be looked into. It not definitely an SQLi vuln, but its very suspicious.

+1
psiinon on Jul 19, 2018
Read more comments on GitHub
← zaproxy: False Positive report on DOM-based XSS
zaproxy: HTTP/NTLM reauthentication no longer works in Active Scan →