Open lsampaioweb opened 10 years ago
lsampaioweb
commented
10 years ago I also found a false negative on project 16.
When the static method getConnection is invoked by a instance object, the plug-in does not find the vulnerability. However, if the method is invoked using the static classname, then the plug-in finds the vulnerability.
lsampaioweb
commented
10 years ago On project 24.
There is a false negative Misconfiguration because the object this.username is receiving its content from the constructor and not inside the invoked method. We should look into that.
lsampaioweb
commented
10 years ago On project 31.
The variables were declared inside a Static { } block but the plug-in did not understand it.
lsampaioweb
commented
10 years ago On project 31.
The participant created a vulnerable code in the toString method and he did: print(user); So, the method toString will be invoked but the plug-in does not understand this.
lsampaioweb
commented
10 years ago On project 31.
On class SignInServlet.java, there is setAttribute(user.login) that should have displayed a warning. The login is coming from getString("login"). The problem is happening because there is a user = null in the path.
There is a false negative of Misconfiguration of project 03.