Burp Suite User Forum

Create new post

Option to turn off 'OR' based SQL injection tests

Sebastien | Last updated: May 03, 2018 06:40AM UTC

Hey, I noticed that the Burp Suite scanner uses 'OR' based SQL Injection tests by default, and that there is no option to disable this either. I was wondering if it would be possible to add an option in detection methods to separate these kinds of tests. (At least the OR based ones) The reason for this is that for some queries, these OR tests could potentially alter entire tables/databases if the query is modifying fields. For example: DELETE FROM posts WHERE id=2 If an OR test would succeed on this, it would delete all posts. Thanks

PortSwigger Agent | Last updated: May 03, 2018 09:12AM UTC

Hi Sebastian, Thanks for getting in touch. We're going to have a discussion internally and look at implementing this. In the meantime, case I suggest that you disable the Boolean conditions detection method. To make up for disabling the AND logic checks, install the Backslash Powered Scanner extension which does some similar checks. Please let us know if you need any further assistance.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.