Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Missed SQL Injection

Nicolas Krassas Oct 08, 2019 11:12AM UTC

Hi,

Doing some tests I notice that Burp ( version 2.1.04 ) is missing the SQL injection at http://zero.webappsecurity.com under post data field payeeId.

SQLmap will identify it with as the following:

sqlmap identified the following injection point(s) with a total of 46 HTTP(s) requests:
---
Parameter: payeeId (POST)
Type: stacked queries
Title: HSQLDB >= 1.7.2 stacked queries (heavy query - comment)
Payload: payeeId=abc';CALL REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR(7251),0),500000000),NULL)--

Type: time-based blind
Title: HSQLDB > 2.0 OR time-based blind (heavy query)
Payload: payeeId=abc' OR CHAR(76)||CHAR(86)||CHAR(107)||CHAR(117)=REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY(CHAR(65)||CHAR(69)||CHAR(83),NULL),0),500000000),NULL)-- GsOo
---
[14:02:48] [INFO] the back-end DBMS is HSQLDB

----
The post request where Burl should have found the injection is

POST /bank/pay-bills-get-payee-details.html HTTP/1.1
Host: zero.webappsecurity.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 13
Connection: close
Referer: http://zero.webappsecurity.com/bank/pay-bills.html
Cookie: JSESSIONID=29DB5859; username=username; password=password

payeeId=abc

The website is created for testing web scanner applications, please feel free to use it for that purpose.


Nicolas Krassas Oct 08, 2019 11:44AM UTC
Same case, forcing an audit on the specific URL/bank/pay-bills-get-payee-details.html brought up the SQL injection as valid Issue.

Liam Tai-Hogan Oct 09, 2019 09:07AM UTC Support Center agent

Thanks for this report Nicolas. Burp Crawler doesn’t currently handle JavaScript-heavy apps.

We have this feature in this years roadmap. Once we release the updated version of the crawler we should find this issue with a crawl and audit.

If I can be of any further assistance, please let me know.


Post Your public answer

Your name
Your email address
Answer