500 HTTP Error... False Positive?




Posts: 5

Joined: Thu Jun 16, 2011 10:21 am

Post Mon Nov 14, 2011 3:48 pm

500 HTTP Error... False Positive?

I'm using Wapiti to audit on of my web applications and I was returned with 3 sql injection, 39 blind sql, 27 file handling vulnerabilities, and 9 command execution vulnerabilities.

The thing is... Every single one contained a 500 http error code.

I know the 500 error is the "catch all" error... Basically the server doesn't know what to do with these.

I'd like to go ahead and just try exploiting one of these vulnerabilities to see if it is just a false positive but since I've been assigned to just do vulnerability assessments, it would be wrong and illegal.

So are these false positives? Whats a good way to futher test? Does Wapiti generally return any error as a vulnerability? I know sql injection can return 500 errors but I have a hunch many of these aren't actually vuln.


User avatar


Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Mon Nov 14, 2011 8:32 pm

Re: 500 HTTP Error... False Positive?

Can you try another tool like sqlmap just to see if you get the same results?

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 0 guests

Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software