Alexandru, On Wed, Oct 10, 2012 at 9:24 AM, Alexandru Dima <[email protected]> wrote: > Hi all, > > I don't have that much experience in using w3af, so I ask you if there's > possible to get false positives in the results (blind SQL injection for > example).
All scanners can get false positives for any vuln, w3af included. > More precisely, I found a blindSqli vulnerability (please see the picture > attached). When running the Exploit feature from w3af, it says, > vulnerability exploited... Done. But nothing else. > > I also tried to test the vulnerability with sqlmap, however the parameter is > reported not injectable (I've tried diff approaches, levels, etc.). > ..."POST parameter 'ss_username' is not injectable"... > > So is it expected to encounter false positives of this type while using w3af > or am I missing something? Totally possible that this is a false positive, you should verify manually, not with another tool (sqlmap) that can also have a false positive. Regards, > Thanks, > Alex > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_nov > _______________________________________________ > W3af-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/w3af-users > -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_nov _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
