Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Add tests for SQL injection with Tabs rather than Spaces?

Adrian Mar 06, 2015 04:50AM UTC

I was working through the Pentester Lab: Web For Pentester (,71/) SQL injections, and the Example 2 injection rejects all inputs with spaces in them. Using TAB characters (%09) instead of spaces works, but running the page through Burp Suite Pro's Active Scanner doesn't pick up on the vulnerability.

Are there any plans to implement tests for this type of injection, or is there a way to configure Burp so it will detect it?

Dafydd Stuttard Mar 09, 2015 04:19PM UTC Support Center agent

Thanks for this request. We’ll look into adding this capability, probably when the Scanner is set to use the “Thorough” scan speed. This would need to augment, not replace, the existing payloads that use spaces, because otherwise we would lose bugs where the application allows spaces but rejects characters < 0×20.

Part of designing a Scanner is making a judgement as to which payloads are worth using. It is possible to find many more bugs by using many more payloads, but this means that all scans run much more slowly.

Post Your public answer

Your name
Your email address