BenchmarkTest00037 missing a parameter in crawler

[giper45]

I seen that BenchmarkTest00037 contains the following parameters:

    <benchmarkTest URL="https://localhost:8443/benchmark/sqli-00/BenchmarkTest00037" tcName="BenchmarkTest00037" tcType="SERVLET">
        <formparam name="answer" value="" />
        <formparam name="bar" value="BenchmarkTest00037" />
    </benchmarkTest>

but the form also contains another parameter (where bar is inserted):

HTML code:

<form action="/benchmark/sqli-00/BenchmarkTest00037" method="POST" id="FormBenchmarkTest00037" autocomplete="off">
  | <div>
  | <label>Please explain your answer:</label>
  | </div>
  | <br>
  | <div>
  | <textarea rows="4" cols="50" id="BenchmarkTest00037Area" name="BenchmarkTest00037Area"></textarea>
  | </div>
  | <div>
  | <label>Any additional note for the reviewer:</label>
  | </div>
  | <div>
  | <input type="text" id="answer" name="answer">
  | </div>
  | <br>
  | <div>
  | <label>An AJAX request will be sent with a parameter value 'BenchmarkTest00037' and name:</label> <input type="text" id="BenchmarkTest00037" name="BenchmarkTest00037" value="bar" class="safe">
  | </div>
  | <div>
  | <input type="button" id="login-btn" value="Login" method="submitParameterNamesForm" testcase="BenchmarkTest00037">
  | </div>
  | </form>

<br class="Apple-interchange-newline">

Was this intended? The change should be applied to data/benchmark-crawler-http.xml file

[giper45]

By looking at the vulnerability better, it seems that, even if all the parameters are not present, the vulnerable one is present (it is triggered when you change the parameter name instead of the value!). Thank you anyway.

[davewichers]

@giper45 - yes, that's the correct. The crawler crawls all the relevant parameters, but not necessarily all the parameters supported by the UI.