The thing is... Every single one contained a 500 http error code.
I know the 500 error is the "catch all" error... Basically the server doesn't know what to do with these.
I'd like to go ahead and just try exploiting one of these vulnerabilities to see if it is just a false positive but since I've been assigned to just do vulnerability assessments, it would be wrong and illegal.
So are these false positives? Whats a good way to futher test? Does Wapiti generally return any error as a vulnerability? I know sql injection can return 500 errors but I have a hunch many of these aren't actually vuln.