Menu
Our customer requires us to run the OWASP ZAP tool against our web application (ASP.NET 4.5.2, Webforms) and we cannot have any high priority findings in the report.
We've done the analysis, and OWASP ZAP reports two vulnerabilities which both are most likely "false positives":
The Remote OS command execution seems bogus, because we're not executing any OS commands anywhere - so how could any attackers get our code to execute his command on a remote machine?
And the SQL injection seems extremely bogus since we're using Entity Framework everywhere which uses properly parametrized queries which are the gold standard against any SQL injection ....
Have other folks had these kinds of "false positives" with OWASP ZAP? Are there any "known issues" documented anywhere that we could use to prove that the tool is wrong - not our code?
406
I'm not aware of any automated scanner that are false positive free (despite some marketing claims;) so I'd always recommend manually verifying any findings.
It would help if you could give us some more details - ZAP should give you a lot more information than just the vulnerability name. One possibility is that they are timing attacks and your server is running slowly due to the scan. I've definitely seen that many times. In the weekly versions of ZAP you can actually increase the timing values used (which defaults to 5 seconds) - that can help reduce or eliminate such false positives.
If you do find false positives in ZAP scans then please report them via issues or the Dev Group - if you dont tell us about them then we cant fix them :)
Simon (ZAP Project Lead)
52
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
