False Positive - Path Traversal #8379
Assignees
Labels
Comments
|
Ow. Yeah, we should try to avoid matching that sort of response... |
|
To be clear the rule actually requires that five different strings (pattens) are matched: Although etc is the only evidence that can be matched due to the way ZAP handles evidence. It seems quite unlikely that responses are going to cover all five checks and not be valid traversals. While obviously not impossible as seen here. We could definitely include further details in the Other Info field and should probably exclude js/css responses. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Reporting the FP as per https://www.zaproxy.org/faq/how-do-i-handle-a-false-positive/
ZAP is triggering the path traversal alert which is a false-positive.
The request is to the login form and the response contains highlighted content from JS script. The JS script is huge and it is completely highlighted. The evidence is
etcand it is in a string like thisI have saved the session file with me, if you need more information to diagnose the problem let me know.
The text was updated successfully, but these errors were encountered: