Add tests for SQL injection with Tabs rather than Spaces?
I was working through the Pentester Lab: Web For Pentester (https://www.vulnhub.com/entry/pentester-lab-web-for-pentester,71/) SQL injections, and the Example 2 injection rejects all inputs with spaces in them. Using TAB characters (%09) instead of spaces works, but running the page through Burp Suite Pro's Active Scanner doesn't pick up on the vulnerability.
Are there any plans to implement tests for this type of injection, or is there a way to configure Burp so it will detect it?
Thanks for this request. We’ll look into adding this capability, probably when the Scanner is set to use the “Thorough” scan speed. This would need to augment, not replace, the existing payloads that use spaces, because otherwise we would lose bugs where the application allows spaces but rejects characters < 0×20.
Part of designing a Scanner is making a judgement as to which payloads are worth using. It is possible to find many more bugs by using many more payloads, but this means that all scans run much more slowly.