Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Login to post

Failed to parse the content of the page for SQL Injection indications in the passive scanner

Claudio | Last updated: Mar 17, 2015 04:17PM UTC

Suppose the following scenario: I access a particular page, and in the body of the page you have a MySQL syntax error with the SQL query. The base request is always the same, it already has the SQL query in the body. Isn't the passive scanner supposed to pick up the info and indicate that may exist a SQL Injection based on this information or at least there is sensitive information being disclosed?

PortSwigger Agent | Last updated: Mar 17, 2015 04:55PM UTC

Burp doesn't currently passively report SQL injection issues based on any observed error messages in the base response, as this would lead to many false positives due to the lack of active interaction. In future, we plan to have the passive scanner create informational issues for "interesting" error messages of various kinds, including database error messages.

Burp User | Last updated: Mar 17, 2015 09:24PM UTC

Yeah, I tough that the false positives might be the reason, that would indeed be a good feature. Thanks for the feedback.

You need to Log in to post a reply. Or register here, for free.