Skip to content

False Positive: SQL Injection (40018) on Kubernetes API namespace path parameters #417

New issue
New issue
Open
Open
False Positive: SQL Injection (40018) on Kubernetes API namespace path parameters#417
@judyobrienie

Description

@judyobrienie
judyobrienie
opened on Dec 22, 2025

Summary

When scanning Kubernetes/OpenShift APIs, ZAP Rule 40018 (SQL Injection) triggers false positives on namespace path parameters. This affects any team scanning Kubernetes-native APIs (Istio, OpenShift, custom CRDs).

Environment

  • RapiDAST version: Latest (config version 6)
  • ZAP version: 2.17.0
  • Scan policy: API-scan-minimal
  • Target: OpenShift Service Mesh 3.2 (Kubernetes APIs)

Affected Endpoint Patterns

/apis/{group}/{version}/namespaces/{namespace}/{resource}

Examples:

  • /apis/networking.istio.io/v1/namespaces/{ns}/serviceentries
  • /apis/security.istio.io/v1/namespaces/{ns}/requestauthentications
  • /api/v1/namespaces/{ns}/pods

Evidence: 3 False Positives from OSSM 3.2 Scan

Finding 1: Kiali API (Dec 18, 2025)

Field Value
URL /api/clusters/workloads?namespace=...
Parameter namespace (query param)
Attack namespace' AND '1'='1' --

Finding 2: OSSM Networking API (Dec 19, 2025)

Field Value
URL /apis/networking.istio.io/v1/namespaces/istio-system+AND+1%3D1+--+/serviceentries
Parameter namespace (path param)
Attack istio-system AND 1=1 -- / istio-system OR 1=1 --
Response HTTP 200, empty ServiceEntryList

SARIF snippet:

{
  "level": "error",
  "ruleId": "40018",
  "message": {
    "text": "The page results were successfully manipulated using the boolean conditions [istio-system AND 1=1 -- ] and [istio-system OR 1=1 -- ]. Data was NOT returned for the original parameter. The vulnerability was detected by successfully retrieving more data than originally returned."
  },
  "locations": [{
    "physicalLocation": {
      "artifactLocation": {
        "uri": "https://api.user-rhos-01-04.servicemesh.rhqeaws.com:6443/apis/networking.istio.io/v1/namespaces/istio-system+AND+1%3D1+--+/serviceentries"
      }
    },
    "properties": {
      "attack": "istio-system OR 1=1 -- "
    }
  }]
}

Finding 3: OSSM Security API (Dec 19, 2025)

Field Value
URL /apis/security.istio.io/v1/namespaces/istio-system+AND+1%3D1+--+/requestauthentications
Parameter namespace (path param)
Attack istio-system AND 1=1 -- / istio-system AND 1=2 --
Response HTTP 200, empty RequestAuthenticationList

SARIF snippet:

{
  "level": "error",
  "ruleId": "40018",
  "message": {
    "text": "The page results were successfully manipulated using the boolean conditions [istio-system AND 1=1 -- ] and [istio-system AND 1=2 -- ]. Data was returned for the original parameter. The vulnerability was detected by successfully restricting the data originally returned."
  }
}

Root Cause Analysis

Why ZAP flags this as SQL Injection:

  1. Boolean-based detection sends payloads: AND 1=1 vs AND 1=2
  2. Kubernetes API treats istio-system AND 1=1 -- as a literal namespace name
  3. Returns empty list (no namespace with that name exists)
  4. Different resourceVersion values in responses trigger "manipulation detected"
  5. ZAP interprets response variation as successful SQL injection

Why this is a false positive:

  • Kubernetes APIs are not SQL-backed
  • The namespace parameter is a Kubernetes object name lookup
  • Empty list responses are expected behavior for non-existent namespaces
  • No actual data manipulation or injection occurs

Suggested Solutions

Option 1: Exclusion Rule Configuration

Add documentation/config option to exclude K8s API patterns:

scanners:
  zap:
    activeScan:
      excludeFromScan:
        - urlPattern: ".*/apis/.*/namespaces/.*/.*"
          rules: [40018]
          reason: "Kubernetes API - not SQL injectable"

Option 2: Post-Processing Filter

Add a post-scan filter to suppress SQL injection findings on K8s-style responses:

  • Detect response patterns: apiVersion, kind, items[], metadata.resourceVersion
  • Downgrade or suppress 40018 findings for K8s API responses

Option 3: Kubernetes Scanning Profile

Create a dedicated profile for K8s/OpenShift API scanning with appropriate exclusions pre-configured.

Configuration Used

application:
  shortName: ossm-networking
  url: https://api.user-rhos-01-04.servicemesh.rhqeaws.com:6443
scanners:
  zap:
    activeScan:
      policy: API-scan-minimal
    apiScan:
      apis:
        apiUrl: https://api.user-rhos-01-04.servicemesh.rhqeaws.com:6443/openapi/v3/apis/networking.istio.io/v1
    miscOptions:
      overrideConfigs:
      - formhandler.fields.field(0).fieldId=namespace
      - formhandler.fields.field(0).value=istio-system
    passiveScan:
      disabledRules: 2,10015,10024,10027,10054,10096,10109,10112,90022

Impact

This false positive pattern likely affects any team scanning:

  • OpenShift/Kubernetes APIs
  • Istio Service Mesh APIs
  • Custom CRD APIs
  • Any API with namespace path parameters

Additional Information

  • Full SARIF files available on request
  • Scans performed as part of OSSM 3.2 RH-SDLC DAST requirement

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions