Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

java.sql.SQLException: Invalid column index not detected by active scanner

Chris | Last updated: Mar 16, 2015 03:28PM UTC

Hi, while working on an application with the active scanner of Burp 1.6.12 a lot of possible SQL injections like: -------------- SERVICE NOT AVAILABLE. Please refer to your system administration<br>FooException: Exception thrower: foo.bar.OJBService<br>Attributes: class foo.bar.Service<br>serialVersionUID = -8879262741052573073<br>broker = interface org.apache.ojb.broker.PersistenceBroker<br>log = interface foo.bar.Service<br>logger = class org.apache.log4j.Logger<br>callStackInfo = foo.bar.Method<br>userId = 1230<br>TimingLogFlag = true<br>TimingStoreLogFlag = false<br>starttime = 1426509330706<br> Reason: org.apache.ojb.broker.PersistenceBrokerSQLException: java.sql.SQLException: ORA-01722: invalid number<br>)</td> -------------- where popping up in the results of the scanner. However there where slightly different responses like: -------------- SERVICE NOT AVAILABLE. Please refer to your system administration<br>FooException: Exception thrower: foo.bar.OJBService<br>Attributes: class foo.bar.Service<br>serialVersionUID = -8879262741052573073<br>broker = interface org.apache.ojb.broker.PersistenceBroker<br>log = interface foo.bar.Service<br>logger = class org.apache.log4j.Logger<br>callStackInfo = foo.bar.Method<br>userId = 1230<br>TimingLogFlag = true<br>TimingStoreLogFlag = false<br>starttime = 1426512473996<br> Reason: org.apache.ojb.broker.PersistenceBrokerSQLException: java.sql.SQLException: Invalid column index)</td> -------------- when manually modifying an empty "sortColumn=" parameter by adding various special chars. I don't exactly know if this is the expected behavior of Burp. Shouldn't the active scanner also catches the second repsonse?

PortSwigger Agent | Last updated: Mar 17, 2015 02:27PM UTC

Thanks for this report. It looks like Burp is triggering on the Oracle-specific ORA-01722 message, but not the more generic one. We'll get Burp fixed so that it catches the more generic error message.

Burp User | Last updated: Mar 17, 2015 03:59PM UTC

Hi, thanks for the reply. Today i've cross-checked this and it seems thats a behavior generated by the application itself. I even have changed the request to the original one back and the application is still reporting a: Reason: org.apache.ojb.broker.PersistenceBrokerSQLException: java.sql.SQLException: Invalid column index for a (yesterday) valid request. I really don't know if this something which Burp can handle as it could just trigger false positives for each request.

PortSwigger Agent | Last updated: Mar 17, 2015 04:11PM UTC

Thanks for the update. Burp doesn't report SQL injection issues just on the basis of seeing an error message, as this would lead to many false positives as you say. Rather, Burp determines whether a SQL-specific error message is suitably conditional on different payloads. For example, if one single quote causes an error but two single quotes does not, then this is good evidence for the vulnerability. If a response always contains a particular error string, then Burp won't report the issue.

Burp User | Last updated: Mar 18, 2015 09:52PM UTC

Hi, and thanks again for your reply and the clarification how Burp is detection such exceptions. I still think that this case could be closed as invalid as the original ORA-xxx messages where catched by Burp and the generic ones where just to generic for Burp.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.