Burp Suite User Forum

Create new post

Burp Infiltrator JCR injection

floyd | Last updated: May 18, 2017 09:37AM UTC

Hi Burp team, I tried Burp Infiltrator for the first time, nice tool! I noticed that it is missing out on Java JCR injections, which often have much lower impact than SQL injection but not always (and probably a lot of pentesters think it is a SQLi). Nevertheless it should be flagged. The API's of the implementation I looked at: javax.jcr.query.InvalidQueryException: Query: select * from [test:user] where name() = 'test'test' and isdescendantnode(['/arc(*)']) at org.apache.jackrabbit.commons.query.sql2.Parser.getSyntaxError(Parser.java:978) at org.apache.jackrabbit.commons.query.sql2.Parser.getSyntaxError(Parser.java:959) at org.apache.jackrabbit.commons.query.sql2.Parser.checkRunOver(Parser.java:773) at org.apache.jackrabbit.commons.query.sql2.Parser.initialize(Parser.java:735) at org.apache.jackrabbit.commons.query.sql2.Parser.createQueryObjectModel(Parser.java:104) at org.apache.jackrabbit.commons.query.sql2.SQL2QOMBuilder.createQueryObjectModel(SQL2QOMBuilder.java:55) at org.apache.jackrabbit.core.query.QOMQueryFactory.createQuery(QOMQueryFactory.java:69) at org.apache.jackrabbit.core.query.CompoundQueryFactory.createQuery(CompoundQueryFactory.java:67) at org.apache.jackrabbit.core.query.QueryManagerImpl$2.perform(QueryManagerImpl.java:95) at org.apache.jackrabbit.core.query.QueryManagerImpl$2.perform(QueryManagerImpl.java:91) at org.apache.jackrabbit.core.session.SessionState.perform(SessionState.java:216) at org.apache.jackrabbit.core.query.QueryManagerImpl.perform(QueryManagerImpl.java:197) at org.apache.jackrabbit.core.query.QueryManagerImpl.createQuery(QueryManagerImpl.java:91) As I'm not familiar with the internals of Burp Infiltrator, let me know if you need any more details. cheers, floyd

PortSwigger Agent | Last updated: May 18, 2017 02:33PM UTC

Hi Floyd, Thanks for the feedback! The stacktrace and parameter value you sent are enough for us to take it from here. We'll look into this and see if it's viable to add it to the Infiltrator rules. Cheers.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.