6

Our customer requires us to run the OWASP ZAP tool against our web application (ASP.NET 4.5.2, Webforms) and we cannot have any high priority findings in the report.

We've done the analysis, and OWASP ZAP reports two vulnerabilities which both are most likely "false positives":

  • Remote OS command execution
  • SQL injection

The Remote OS command execution seems bogus, because we're not executing any OS commands anywhere - so how could any attackers get our code to execute his command on a remote machine?

And the SQL injection seems extremely bogus since we're using Entity Framework everywhere which uses properly parametrized queries which are the gold standard against any SQL injection ....

Have other folks had these kinds of "false positives" with OWASP ZAP? Are there any "known issues" documented anywhere that we could use to prove that the tool is wrong - not our code?

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
  • Even with EF you still can run arbitrary queries and just materialize results. Not so long ago I found such issue in one of inspected apps. Make sure zap just hasn't found something you wouldn't believe to have in your own code. – Wiktor Zychla Nov 20 '16 at 13:41
  • @WiktorZychla: you're right - but we don't have any "arbitrary SQL" in your EF code - that's absolutely sure. – marc_s Nov 20 '16 at 13:52
  • I think telling your client that you reviewed the code, and you are using EF without custom SQL code so it is not vulnerable to SQLi, should be enough. You can maybe show them parts of the source code if they insist, but that should not be necessary if you give the above in writing. OS command injection is probably more interesting, there may be subtle ways that's possible, but ZAP does indeed produce lots of false positives sometimes, so that too can very easily be one. – Gabor Lengyel Nov 20 '16 at 14:14
  • But how that report looks like? It's just reporting vulnerabilities without any arguments\clarification? – Evk Nov 20 '16 at 15:18
  • 1
    @Evk: the report is listing several files and "targets" that are claimed to be vulnerable - things like the ASP.NET hidden fields `__SCROLLPOSITIONY` or `__VIEWSTATEGENERATOR` - but there's not much of an explanation as to **why** those are deemed vulnerable..... none of those serve to execute a remote OS command, for instance ...... – marc_s Nov 20 '16 at 15:30
  • And you did follow their guide (cheat sheet) for .NET framework and asp.net? – Evk Nov 20 '16 at 15:34
  • @Evk: yes, of course – marc_s Nov 20 '16 at 15:42

2 Answers2

6

I'm not aware of any automated scanner that are false positive free (despite some marketing claims;) so I'd always recommend manually verifying any findings.

It would help if you could give us some more details - ZAP should give you a lot more information than just the vulnerability name. One possibility is that they are timing attacks and your server is running slowly due to the scan. I've definitely seen that many times. In the weekly versions of ZAP you can actually increase the timing values used (which defaults to 5 seconds) - that can help reduce or eliminate such false positives.

If you do find false positives in ZAP scans then please report them via issues or the Dev Group - if you dont tell us about them then we cant fix them :)

Simon (ZAP Project Lead)

Simon Bennetts
  • 5,479
  • 1
  • 14
  • 26
  • 1
    Sounds like Zap is full of false positives. I was just assigned to fixing anti-MIME-sniffing and XSS protection, and know for a fact that both issues have been addressed through introduction of appropriate headers, but Zap is still showing the same vulnerabilities. The response apparently contains `X-Content-Type-Options=nosniff` and `X-XSS-Protection=1; mode=block` but Zap is still looking for something different. Sounds like it needs some improvement before it can be considered reliable. – ajeh Jul 19 '17 at 17:53
  • So let us know what the problems are - we cant improve it without feedback. And its quite possible that you are missing something, so its well worth getting in touch with us (via issues or the Dev Group as above) and then we can look at them. – Simon Bennetts Jul 20 '17 at 08:08
  • No, its not 'all there'. We would need an exact copy of the headers returned for the relevant URLs (with any sensitive info obfuscated) in order to tell whats going on. The info given in the alerts would also help - they typically explain why the vulnerabilities were flagged. – Simon Bennetts Jul 23 '17 at 08:25
  • 6
    So, you just dropped in to crap all over a free project? Way to keep things constructive. Moan about false positives, but refuse to contribute in any way, shape or form to reducing them. – Rogan Dawes Jul 25 '17 at 16:29
1

Yes, there is a false positive issue that has been reported for ZAP scans. This issue was fixed in version 2.4.0. This covers the Remote OS command execution vulnerability and not the SQL injection one.

CommandInjectionPlugin timing false positives #1592

https://github.com/zaproxy/zaproxy/issues/1592

jade290
  • 413
  • 6
  • 5