Burp Suite User Forum

Create new post

Missed SQL Injection

Nikolaos | Last updated: Oct 08, 2019 11:12AM UTC

Hi, Doing some tests I notice that Burp ( version 2.1.04 ) is missing the SQL injection at http://zero.webappsecurity.com under post data field payeeId. SQLmap will identify it with as the following: sqlmap identified the following injection point(s) with a total of 46 HTTP(s) requests: --- Parameter: payeeId (POST) Type: stacked queries Title: HSQLDB >= 1.7.2 stacked queries (heavy query - comment) Payload: payeeId=abc';CALL REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR(7251),0),500000000),NULL)-- Type: time-based blind Title: HSQLDB > 2.0 OR time-based blind (heavy query) Payload: payeeId=abc' OR CHAR(76)||CHAR(86)||CHAR(107)||CHAR(117)=REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY(CHAR(65)||CHAR(69)||CHAR(83),NULL),0),500000000),NULL)-- GsOo --- [14:02:48] [INFO] the back-end DBMS is HSQLDB ---- The post request where Burl should have found the injection is POST /bank/pay-bills-get-payee-details.html HTTP/1.1 Host: zero.webappsecurity.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 13 Connection: close Referer: http://zero.webappsecurity.com/bank/pay-bills.html Cookie: JSESSIONID=29DB5859; username=username; password=password payeeId=abc The website is created for testing web scanner applications, please feel free to use it for that purpose.

Burp User | Last updated: Oct 08, 2019 11:44AM UTC

Same case, forcing an audit on the specific URL/bank/pay-bills-get-payee-details.html brought up the SQL injection as valid Issue.

Liam, PortSwigger Agent | Last updated: Oct 08, 2019 02:16PM UTC

Thanks for this report Nicolas. Burp Crawler doesn't currently handle JavaScript-heavy apps. We have this feature in this years roadmap. Once we release the updated version of the crawler we should find this issue with a crawl and audit. If I can be of any further assistance, please let me know.

Nikolaos | Last updated: Nov 21, 2021 06:45PM UTC

Hi, the issue with sql injection seem to be still present after ~ 3 years. Detection on SQL injection is limited and there are a lot of miss from Burp in this area.

Ben, PortSwigger Agent | Last updated: Nov 23, 2021 08:39AM UTC

Hi Nikolaos, Are you able to provide us with any details on the SQL Injection vulnerabilities that you believe Burp is not identifying so that we can take a look for you?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.