Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

skip server-side injection not preventing requests

Tiago | Last updated: Mar 22, 2018 02:55PM UTC

Adding an entry to "Skip server-side injection..." in the Scanner Options does not prevent that (for instance) parameter from being actively tested, i.e. making requests with payloads on that parameter. I need to add the exclusion entry to the "Skip all tests for these parameters" option to ensure no payload is injected in that parameter, thus preventing any request with that parameter modified. So my question is: shouldn't "skip server-side injection" prevent any request from being made with a payload on that parameter? I did a test only with SQL injection tests enabled and activated the scanner request log and I saw request being made with payloads like ', %27 or %2527. Don't you consider this server side tests?

Liam, PortSwigger Agent | Last updated: Mar 22, 2018 03:19PM UTC

%27 is a single quote URL encoded. This is used by Burp Suite to test for SQL injection.

Burp User | Last updated: Mar 22, 2018 03:33PM UTC

I know that. The question is: I excluded that parameter with an entry in the "skip server-side injection" setting, why does it keep doing tests to that parameter if I requested to skip server side tests?

Liam, PortSwigger Agent | Last updated: Mar 22, 2018 03:58PM UTC

If SQL injection tests are enabled, Burp Scanner will send payloads to test for SQL injection, which will include %27.

Burp User | Last updated: Mar 22, 2018 06:03PM UTC

I don't think you are reading the whole question. Read it again please. I'm asking why does "skip server-side injection" exclusions are still tested actively, i.e. by sending requests with payloads.

PortSwigger Agent | Last updated: Mar 23, 2018 08:47AM UTC

Hi Tiago, Just to explain a bit more about that option. "Skip server-side injection" disables some of the more time consuming tests, such as blind SQL injection. It still sends some payloads to the server. For example, it still tests for XSS, which is an example of client-side injection, and involves sending a payload to the server to test it. It sounds like you want to avoid sending any payloads in that parameter, so please use the "Skip all tests" option. I guess the wording of the option could be confusing. It's a difficult balance to make these descriptions both accurate and clear, and also concise. The documentation does explain this a bit more: - https://portswigger.net/burp/help/scanner_options#insertionpoints_skipping Please let us know if you need any further assistance.

Burp User | Last updated: Mar 23, 2018 02:12PM UTC

Ok, that makes more sense. I agree with you about how hard is to achieve a good and concise description :)

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.