The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Server Side Code Injection not detected without enabling SQL Injection scanning module

Abeer | Last updated: Apr 19, 2017 01:54PM UTC

Hello Team, While testing for python code injections, i observed that the burp suite pro 1.7.21 active scanner does not detect server side code injections without enabling the SQL Injection main module (sub-modules for type of payloads need not be enabled) active scanning area. Using the combination mentioned above, the scanner throws the payload 'eval(compile('for%20x%20in%20range(1)%3a%5cn%20import%20time%5cn%20time.sleep(20)'%2c'a'%2c'single'))' at the vulnerable parameter. Looking at this, i assume that the server side code injection module is probably not picking up the vulnerability due to absence of the word 'sleep' in it's dictionary (a random guess) and may be it needs the SQL Injection module to fetch that payload from there? Well, using a standalone, customized, selected active area, i see i might have missed critical vulnerabilities in my pen tests ! ...as many times i would not want to bombard the target with multiple requests or payloads and use only modules which i require. Can we have a similar check for all scanning modules? Thanks

PortSwigger Agent | Last updated: Apr 19, 2017 02:34PM UTC