Burp Suite User Forum

Login to post

Missing PHP Code Injection Detection

Riccardo | Last updated: Jun 23, 2020 04:15PM UTC

Hello, I'm using Burp Pro 2020.5 and I have a PHP Code Injection vulnerability on a parameter name (both on GET and POST). The Code Injection does not work on the parameter value. Even if the "Parameter Name" insertion point is enabled on the Audit configuration during the scan, Burp does not detect the vulnerability. Using the Intruder and specifying the vulnerable parameter names as insertion points, instead, Burp does find the PHP Code Injection vulnerabilities without any other configuration changes. This appears to be a bug on the Burp side. Could you please tell how could it be? We are working with the default Auditing configuration. Best regards.

Riccardo | Last updated: Jun 23, 2020 04:40PM UTC

Referring to the missing PHP Code Injection, I've seen that Burp actually does the correct HTTP request in order to find it, but do not detect it. The HTTP request (taken from the scanner logs) is the following: POST /site/index.php?module=login&method=login HTTP/1.1 Host: xxxxx Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Connection: close Cache-Control: max-age=0 Referer: http://xxxxx/site/index.php?module=login&method=loginForm Content-Type: application/x-www-form-urlencoded Content-Length: 63 Cookie: PHPSESSID=xxxxx username=BVOaNUaA&password%7b$%7bsleep(20)%7d%7d=w5A%21j6i%21V0 As i said before, even if Burp is actually doing that kind of tests, and even if that requests causes about 20s of delay in response, the PHP Code Injection is not detected. Regards

Riccardo | Last updated: Jun 23, 2020 04:40PM UTC

Referring to the missing PHP Code Injection, I've seen that Burp actually does the correct HTTP request in order to find it, but do not detect it. The HTTP request (taken from the scanner logs) is the following: POST /site/index.php?module=login&method=login HTTP/1.1 Host: xxxxx Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Connection: close Cache-Control: max-age=0 Referer: http://xxxxx/site/index.php?module=login&method=loginForm Content-Type: application/x-www-form-urlencoded Content-Length: 63 Cookie: PHPSESSID=xxxxx username=BVOaNUaA&password%7b$%7bsleep(20)%7d%7d=w5A%21j6i%21V0 As i said before, even if Burp is actually doing that kind of tests, and even if that requests causes about 20s of delay in response, the PHP Code Injection is not detected. Regards

Liam, PortSwigger Agent | Last updated: Jun 24, 2020 01:23PM UTC

Thanks for this report. We've flagged this check for review. We'll update this thread following our investigation.

You need to Log in to post a reply. Or register here, for free.