Burp Suite User Forum

Create new post

Extend SQL recognition to responses

Veres-Szentkirályi | Last updated: Oct 19, 2018 09:16AM UTC

The Active scanner in Burp already identifies SQL statements within queries as potential SQL injection vulnerabilities. However, some applications log the executed SQL statements in the HTML output as comments or in an HTML element hidden with CSS. So just by enabling the already existing algorithm to detect SQL statements within responses as well (not just requests), Burp could detect such information leaks about the database backend.

PortSwigger Agent | Last updated: Oct 19, 2018 02:53PM UTC

Thanks for the suggestion. We agree this could be useful, although we're quite concerned that checking responses would be prone to false positives. The current logic for detecting SQL statements is quite forgiving, which doesn't cause problems when just checking requests, but could cause many false positives with responses. If we develop stricter logic in future we may look at implementing your suggestion. In the meantime, you can use the Error Message Checks extension to do this. You can define a regular expression that catches SQL statements, and the extension will check HTTP responses for this.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.