You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In the context of web application firewalls it makes a difference whether a string comes within a quoted context or not.
Assuming a Unix shell injection of the form ls "dir/<INJECTION>"
it makes a difference whether the injected string is "; cat secret.txt" (quoted) or ; cat secret.txt(unquoted).
In some testcases (e.g., testcases/owasp/sql-injection.yml) there are teststrings in a quoted context. However, the scanner strips the quotation marks from the teststrings and submits an altered form.
This is because in internal/db/load.go the yaml configuration is unmarshalled (line 56). There, the quotations around teststrings are deleted.
Thanks for looking into this
The text was updated successfully, but these errors were encountered:
In the context of web application firewalls it makes a difference whether a string comes within a quoted context or not.
Assuming a Unix shell injection of the form
ls "dir/<INJECTION>"it makes a difference whether the injected string is
"; cat secret.txt"(quoted) or; cat secret.txt(unquoted).In some testcases (e.g.,
testcases/owasp/sql-injection.yml) there are teststrings in a quoted context. However, the scanner strips the quotation marks from the teststrings and submits an altered form.This is because in
internal/db/load.gothe yaml configuration is unmarshalled (line 56). There, the quotations around teststrings are deleted.Thanks for looking into this
The text was updated successfully, but these errors were encountered: