The way these scans work is this: You see 3 URLs in their alleged "proof of concept". Two are the same, and the third has a SQL Injection inserted into it. They have their scanner submit the first URL and get a copy of whatever the server responds with. Then they submit the second URL. Then they compare the results. They are looking for at least three cases: a) identical response (pass), b) different responses (fail), c) echoed output of the added injected text (fail)
Since your mod_sec is blocking the injection attempt, a blank page is being rendered, and since the blank page is different from the "okay" page, their unintelligent robot blindly marks it as a fail.
A human needs to get involved and see that the 406 response to the SQL Injection attempt (hack attempt) is an acceptable (safe) response.
If the human is too lazy to do that, or too incompetent to even realize what's going on, then you'll have no success convincing them.
If they are unwilling to investigate the real situation or are scared of the potential liability of believing your assertion of the false-positive, then you I suspect you ought to be able to demand a free release from your contract due to their unwillingness or incompetence to perform the required service at an acceptable level.
.
Zen Cart - putting the dream of business ownership within reach of anyone!
Donate to: DrByte directly or to the Zen Cart team as a whole
Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.
In my ongoing battle with Security Metrics I can't get the "possible SQL injection" error to a passing grade.
This is what they are telling me. Yet, I can't figure out how to resolve it.
"The problem is that the true or false statement they add to the end of the home page /index.php gives two different results. The first one (+1=1) gives a 403 forbidden error, and the second one (+1=0) brings you to a search page that says “no results found.” They both have to redirect to the same place, the difference is causing the scan to flag.
He says if you can provide a valid reason why they redirect to different places, they can mark it as a false positive. Otherwise the +1 +0 has to be redirected to the 403 forbidden page."
Tell them that when they're doing SQL injection attempts like that, the "403 Forbidden" comes from Server Security Rules (mod_sec) that are trapping their SQL Injection hack BEFORE the software has any chance to do anything.
And the "no results found" is the natural result of the software properly detecting that invalid data was submitted, and taking corresponding action.
Ask SM whether they are professionally advising you to tell your hosting company to RELAX the security which PROTECTS the server from hacking. If so, then get them to put it in writing, with their president signing it.
.
Zen Cart - putting the dream of business ownership within reach of anyone!
Donate to: DrByte directly or to the Zen Cart team as a whole
Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.
I ran in to the same issue with my first couple Security Metrics scans. It took a few phone calls before I got ahold of a tech with a clue, but when I did he entered it as a false positive. All has been well since.