-
Notifications
You must be signed in to change notification settings - Fork 274
doc sqli false negative
Here are some common reasons why a 'false negative' might be occurring:
If the input is unlikely to be a valid SQL fragment, then libinjection will not mark it as SQLi. In other words, if it won't successfully execute an attack, it's not marked as SQLi. It will likely cause a syntax error or some other error in the database and those can be detected in a different way.
Many SQLi scanners emit invalid SQL or broken SQL, and it's very easy to make invalid SQL if you are manually hacking.
This may be unlike other WAFs you have that used that do "if it looks like SQLi, then it is SQLi". libinjection actually checks to make sure it is sql.
There are a few invalid SQLi inputs that are detected anyway, mostly as a preventative measure in case of coding mistakes or incomplete SQL parsing.
If modifying the query string directly, please check to make sure that '+' are being correctly being decoded into '+' and not a space character. When this happens, the SQL is frequently modified into something that will cause a syntax error and will not be detected. Try changing the use of '+' to '-' and see if this helps.
A SQLi example that is cut-n-paste from a Wordpress site frequently has fancy unicode quotes instead of normal single or double quotes. For example, this report has the SQLi 1, 2 that start with:
1′) UNION ALL SELET
Note the Unicode character -- that's not a ASCII " or a '. These alternative quotes are not recognized by any SQL engine. Converting the Unicode quotes to single or double quote normally allows detection to proceed normally. For example, the corrected queries 1, 2 are detected correctly.
A few very short SQLi might not be detected due to a high incidence of false positives, or inability to tell if the input is malicious or just normal input. Most of these SQLi examples are fairly benign and not interesting.
Congratulations. Please tell us more using the next section.
The best way is filing a bug report on GitHub, or a new message on Google Groups.
Please include:
- The database and database version you think you are using.
- The full SQL query with your injection.
- Any information character encoding (is this UTF-8? or something else)
- Your twitter or other contact details if your want public credit.
Ideally you can cut-n-paste the output from the database.
Thanks!