Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Missed SQL Injection

Nikolaos | Last updated: Oct 08, 2019 11:12AM UTC

Hi, Doing some tests I notice that Burp ( version 2.1.04 ) is missing the SQL injection at http://zero.webappsecurity.com under post data field payeeId. SQLmap will identify it with as the following: sqlmap identified the following injection point(s) with a total of 46 HTTP(s) requests: --- Parameter: payeeId (POST) Type: stacked queries Title: HSQLDB >= 1.7.2 stacked queries (heavy query - comment) Payload: payeeId=abc';CALL REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR(7251),0),500000000),NULL)-- Type: time-based blind Title: HSQLDB > 2.0 OR time-based blind (heavy query) Payload: payeeId=abc' OR CHAR(76)||CHAR(86)||CHAR(107)||CHAR(117)=REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY(CHAR(65)||CHAR(69)||CHAR(83),NULL),0),500000000),NULL)-- GsOo --- [14:02:48] [INFO] the back-end DBMS is HSQLDB ---- The post request where Burl should have found the injection is POST /bank/pay-bills-get-payee-details.html HTTP/1.1 Host: zero.webappsecurity.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 13 Connection: close Referer: http://zero.webappsecurity.com/bank/pay-bills.html Cookie: JSESSIONID=29DB5859; username=username; password=password payeeId=abc The website is created for testing web scanner applications, please feel free to use it for that purpose.

Burp User | Last updated: Oct 08, 2019 11:44AM UTC

Same case, forcing an audit on the specific URL/bank/pay-bills-get-payee-details.html brought up the SQL injection as valid Issue.

Liam, PortSwigger Agent | Last updated: Oct 08, 2019 02:16PM UTC

Thanks for this report Nicolas. Burp Crawler doesn't currently handle JavaScript-heavy apps. We have this feature in this years roadmap. Once we release the updated version of the crawler we should find this issue with a crawl and audit. If I can be of any further assistance, please let me know.

Nikolaos | Last updated: Nov 21, 2021 06:45PM UTC

Hi, the issue with sql injection seem to be still present after ~ 3 years. Detection on SQL injection is limited and there are a lot of miss from Burp in this area.

Ben, PortSwigger Agent | Last updated: Nov 23, 2021 08:39AM UTC