Testing for false positives is not a trivial task and the way we have decided to run this test is to simulate an administrator that is updating the application HTML. You would find this action in any CMS and it is specifically prone to false positives in XSS filters that look for...
So_buy+and%28SELECT+1+from%28SELECT+count(*),concat((select+%28SELECT+concat%280X7E%2C0X27%2CUNHEX%28HEX%28CAST
SQL Injection - full url encoded##123' LIMIT 1,1 UNION ALL SELECT CONCAT(0x3a7372773a,IFNULL(CAST(database() AS CHAR),0x20),0x3a6d79643a)###1. SQL Injection - hash instead of space##123'#DDvIMgC%0ALIMIT%23wyQDiZxbEfWH%0A1%2C1...
union+select+password+from+users+where+1.
This service will currently be available in Ghana, Nigeria and Kenya only but is likely to be launched in other regions later.