Burp Suite User Forum

Create new post

Probable bug: SQL injection avoidable false positive ?

Anders | Last updated: Sep 28, 2015 08:54AM UTC

"Issue detail The [...redacted...] cookie appears to be vulnerable to SQL injection attacks. The payload ' and '6143'='6143 was submitted in the Auth-Portal cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present. The database appears to be Oracle." The highlighted text in the response is 'oRA-1'. And the report is classed 'Confidence: Firm'. False positive: The highlighted text is inside a base64 string in a Set-Cookie header. The HTTP headers appear to be an unlikely place to look for database error messages, so it struck me that this might be an avoidable issue.

PortSwigger Agent | Last updated: Sep 30, 2015 08:17AM UTC

Thanks for this report. This is a difficult issue to judge. On the one hand, there are certainly false positives where a response just happens to contain an error string that Burp is looking for (as in this case). On the other hand, there are plenty of real-world cases where a response contains a snippet of an error message due to a real bug. These can even occasionally occur in weird locations such as a Set-cookie header. We get very few reports of this type of false positive, and on balance we think that it is best to live with those occasional false positives, if the alternative is that Burp fails to report an occasional genuine bug.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.