Burp Suite User Forum

Create new post

Add tests for SQL injection with Tabs rather than Spaces?

Adrian | Last updated: Mar 06, 2015 04:50AM UTC

I was working through the Pentester Lab: Web For Pentester (https://www.vulnhub.com/entry/pentester-lab-web-for-pentester,71/) SQL injections, and the Example 2 injection rejects all inputs with spaces in them. Using TAB characters (%09) instead of spaces works, but running the page through Burp Suite Pro's Active Scanner doesn't pick up on the vulnerability. Are there any plans to implement tests for this type of injection, or is there a way to configure Burp so it will detect it?

PortSwigger Agent | Last updated: Mar 09, 2015 04:15PM UTC

Thanks for this request. We'll look into adding this capability, probably when the Scanner is set to use the "Thorough" scan speed. This would need to augment, not replace, the existing payloads that use spaces, because otherwise we would lose bugs where the application allows spaces but rejects characters < 0x20. Part of designing a Scanner is making a judgement as to which payloads are worth using. It is possible to find many more bugs by using many more payloads, but this means that all scans run much more slowly.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.