Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Failed to parse the content of the page for SQL Injection indications in the passive scanner

Claudio | Last updated: Mar 17, 2015 04:17PM UTC

Suppose the following scenario: I access a particular page, and in the body of the page you have a MySQL syntax error with the SQL query. The base request is always the same, it already has the SQL query in the body. Isn't the passive scanner supposed to pick up the info and indicate that may exist a SQL Injection based on this information or at least there is sensitive information being disclosed?

PortSwigger Agent | Last updated: Mar 17, 2015 04:55PM UTC

Burp doesn't currently passively report SQL injection issues based on any observed error messages in the base response, as this would lead to many false positives due to the lack of active interaction. In future, we plan to have the passive scanner create informational issues for "interesting" error messages of various kinds, including database error messages.

Burp User | Last updated: Mar 17, 2015 09:24PM UTC