Extend SQL recognition to responses
The Active scanner in Burp already identifies SQL statements within queries as potential SQL injection vulnerabilities. However, some applications log the executed SQL statements in the HTML output as comments or in an HTML element hidden with CSS. So just by enabling the already existing algorithm to detect SQL statements within responses as well (not just requests), Burp could detect such information leaks about the database backend.
Thanks for the suggestion. We agree this could be useful, although we’re quite concerned that checking responses would be prone to false positives. The current logic for detecting SQL statements is quite forgiving, which doesn’t cause problems when just checking requests, but could cause many false positives with responses. If we develop stricter logic in future we may look at implementing your suggestion.
In the meantime, you can use the Error Message Checks extension to do this. You can define a regular expression that catches SQL statements, and the extension will check HTTP responses for this.