Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility
Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Server Side Code Injection not detected without enabling SQL Injection scanning module

Abeer Banerjee Apr 19, 2017 01:54PM UTC

Hello Team,

While testing for python code injections, i observed that the burp suite pro 1.7.21 active scanner does not detect server side code injections without enabling the SQL Injection main module (sub-modules for type of payloads need not be enabled) active scanning area.

Using the combination mentioned above, the scanner throws the payload 'eval(compile('for%20x%20in%20range(1)%3a%5cn%20import%20time%5cn%20time.sleep(20)'%2c'a'%2c'single'))' at the vulnerable parameter. Looking at this, i assume that the server side code injection module is probably not picking up the vulnerability due to absence of the word 'sleep' in it's dictionary (a random guess) and may be it needs the SQL Injection module to fetch that payload from there?

Well, using a standalone, customized, selected active area, i see i might have missed critical vulnerabilities in my pen tests ! many times i would not want to bombard the target with multiple requests or payloads and use only modules which i require.

Can we have a similar check for all scanning modules? Thanks

Dafydd Stuttard Apr 19, 2017 03:14PM UTC Support Center agent

Thanks for this report. We’ve confirmed this issue. It does appear that the scan check logic for SQL injection and server-side code injection is erroneously inter-dependent. This is due to the possibility that SQLi sleep payloads can also trigger “unknown code injection”.

We’ll look into properly separating out the scan logic to remove the hidden dependency while also avoiding false positives.

We don’t believe that this is any kind of widespread issue within the scan check configuration.

Post Your public answer

Your name
Your email address