Web Application Vulnerability and Potential False Positives
As a Penetration Tester the application vulnerability scan is a major part of any penetration testing methodology. In the Application Scanning stage there are are several different types of vulnerabilities that may surface. The main ones being...
SQL injection/blind SQL injection, cross-site scripting/persistent cross-site scripting, command injection, XPath injection, SOAP/AJAX attacks, CSRF/HTTP response splitting, arbitrary file upload attacks, remote file include (PHP code injection), application errors.....etc (I may have left some out, please don't grill me if I neglected to mention them above)
When using a scanner you can rest assured to encounter a false positive. In my experience the SQL injection vulnerability is what's going to harbor the most false positives.
False positives are a nasty byproduct of using scanners that are created to save time. I haven't found a subject that directly touches on this subject and wanted to start a brief Q & A.
So here is the point of this entire post: When faced with the scan output and a potential vulnerability actually being a false positive. What are effective measures of determining these "False Positives"(if not already designated as such),verifying them, and then correcting them?
I know there is an independent process for each vulnerability, but I'd like to focus on SQL injection and cross-site scripting initially.
Any help is appreciated...