What RadTabStrip is posting back is its client-state which is being stored inside in a hidden field. I guess that OWASP treats that as an SQL injection, however, of course, it is not, because the client-state is only used by the RadTabStrip internals and there is absolutely no way that it can get to the database or cause any harm at all. The reason is that if the client-state is not in the expected format RadTabStrip wont use it all. Unfortunately there is no way to change the way how RadTabStrip works.
As far as I know, In the security systems there is usually a way to justify a security error and mark it as a false positive so that it is not taken into consideration. If this is possible using OWASP you can use the explanation above.
All the best,
the Telerik team
If you want to get updates on new releases, tips and tricks and sneak peeks at our product labs directly from the developers working on the RadControls for ASP.NET AJAX, subscribe to their blog feed