During a penetration test, a vulnerability scanner reports a critical SQL injection vulnerability in a web application. However, manual testing shows that the parameter is not injectable due to proper parameterized queries. Which of the following is the MOST likely cause of this false positive?
Scanners often use keyword matching and will flag any page that returns a database error string, even if the vulnerability does not exist.
Why this answer
A vulnerability scanner often relies on pattern matching in HTTP responses to flag SQL injection. If the application returns a generic error message (e.g., 'An error occurred') after sending a malicious payload, the scanner may incorrectly classify it as SQL injection. However, because the application uses parameterized queries, the payload is safely handled, and the error is unrelated to SQL syntax — making this a classic false positive caused by generic error message matching.
Exam trap
The trap here is that candidates assume a scanner's SQL injection flag must be caused by an actual SQL error, when in fact scanners often rely on generic error message patterns that can be triggered by any application exception.
How to eliminate wrong answers
Option A is wrong because a payload causing a different error unrelated to SQL injection would still require the scanner to misinterpret that error as SQL injection, which is essentially the same mechanism as matching a generic error message; the core issue is the scanner's inability to distinguish error types, not the error's origin. Option B is wrong because stored XSS would manifest as injected script execution in stored content, not as an SQL injection flag from a vulnerability scanner; the scanner would need to detect script reflection or execution, not an SQL error pattern.