Our client requires us to run the OWASP ZAP tool against our web application (ASP.NET 4.5.2, Webforms), and we cannot have high priority results in the report.
We performed the analysis, and OWASP ZAP reports two vulnerabilities, which are the most likely “false positives”:
- Running a remote operating system
- SQL injection
Running a remote operating system seems fictitious because we are not executing any OS commands anywhere - so could any intruders get our code to execute his command on a remote machine?
And the SQL injection seems extremely fictitious because we use the Entity Framework wherever correctly parameterized queries are used, which are the gold standard for any SQL injection ....
Have other people had such “false positives” with OWASP ZAP? Are there any “known issues” anywhere that we could use to prove that the tool is wrong and not our code?
source
share