False Positive -- SQL Injection

[njmulsqb]

Here's the URL the ZAP is testing for SQLi

https://website.com/Search?serviceInstance=+AND+1%3D1+--+&ID=1&serviceInstanceParameter=&WorklistRequest=true

and the response contains 302 to login page because the session expired.

Tested this URL after authenticating as well, no chance of SQLi.

[thc202]

Please, include the version of the add-ons (at least scan rules), that's important.

[njmulsqb]

Please, include the version of the add-ons (at least scan rules), that's important.

Where can this be found?

[kingthorin]

If you use the issue templates that we setup it gathers the details the team wants and provides info on getting version details, etc

[njmulsqb]

If you use the issue templates that we setup it gathers the details the team wants and provides info on getting version details, etc

I am coming from https://www.zaproxy.org/faq/how-do-i-handle-a-false-positive/ which opens a blank issue, so I guess that needs to be updated.

As for add-on version so following might help:

ZAP
Version: 2.14.0

Installed Add-ons: [[id=accessControl, version=9.0.0],
[id=alertFilters, version=19.0.0], [id=ascanrules,
version=63.0.0], [id=authhelper, version=0.12.0],
[id=automation, version=0.35.0], [id=bruteforce,
version=15.0.0], [id=callhome, version=0.10.0],
[id=commonlib, version=1.22.0], [id=custompayloads,
version=0.13.0], [id=database, version=0.3.0], [id=diff,
version=14.0.0], [id=directorylistv1, version=7.0.0],
[id=domxss, version=18.0.0], [id=encoder, version=1.4.0],
[id=exim, version=0.8.0], [id=formhandler, version=6.5.0],
[id=fuzz, version=13.12.0], [id=gettingStarted,
version=16.0.0], [id=graaljs, version=0.5.0], [id=graphql,
version=0.23.0], [id=help, version=17.0.0], [id=hud,
version=0.18.0], [id=invoke, version=14.0.0], [id=network,
version=0.14.0], [id=oast, version=0.17.0], [id=onlineMenu,
version=12.0.0], [id=openapi, version=39.0.0], [id=postman,
version=0.2.0], [id=pscanrules, version=56.0.0],
[id=quickstart, version=43.0.0], [id=replacer,
version=16.0.0], [id=reports, version=0.29.0],
[id=requester, version=7.4.0], [id=retest, version=0.8.0],
[id=retire, version=0.31.0], [id=reveal, version=7.0.0],
[id=scripts, version=45.0.0], [id=selenium,
version=15.19.0], [id=soap, version=21.0.0], [id=spider,
version=0.10.0], [id=spiderAjax, version=23.18.0], [id=tips,
version=12.0.0], [id=webdrivermacos, version=73.0.0],
[id=websocket, version=30.0.0], [id=zest, version=43.0.0]]

Operating System: Mac OS X
Architecture: aarch64
Java Version: Eclipse Adoptium 11.0.20.1
System's Locale: en_PK
Display Locale: en_GB
Format Locale: en_PK
Default Charset: UTF-8
ZAP Home Directory: /Users/administrator/Library/Application Support/ZAP/
ZAP Installation Directory: /Applications/ZAP.app/Contents/Java/./
Look and Feel: Mac OS X (com.apple.laf.AquaLookAndFeel)

[kingthorin]

I am coming from https://www.zaproxy.org/faq/how-do-i-handle-a-false-positive/ which opens a blank issue, so I guess that needs to be updated.

Thanks! Yup it does. I'll tackle that.