Server Side Code Injection not detected without enabling SQL Injection scanning module
While testing for python code injections, i observed that the burp suite pro 1.7.21 active scanner does not detect server side code injections without enabling the SQL Injection main module (sub-modules for type of payloads need not be enabled) active scanning area.
Using the combination mentioned above, the scanner throws the payload 'eval(compile('for%20x%20in%20range(1)%3a%5cn%20import%20time%5cn%20time.sleep(20)'%2c'a'%2c'single'))' at the vulnerable parameter. Looking at this, i assume that the server side code injection module is probably not picking up the vulnerability due to absence of the word 'sleep' in it's dictionary (a random guess) and may be it needs the SQL Injection module to fetch that payload from there?
Well, using a standalone, customized, selected active area, i see i might have missed critical vulnerabilities in my pen tests ! ...as many times i would not want to bombard the target with multiple requests or payloads and use only modules which i require.
Can we have a similar check for all scanning modules? Thanks
Thanks for this report. We’ve confirmed this issue. It does appear that the scan check logic for SQL injection and server-side code injection is erroneously inter-dependent. This is due to the possibility that SQLi sleep payloads can also trigger “unknown code injection”.
We’ll look into properly separating out the scan logic to remove the hidden dependency while also avoiding false positives.
We don’t believe that this is any kind of widespread issue within the scan check configuration.