Cookies set by host: ...

[DelvinBa]

So the problem is, that I am testing a testcase, where I know there is an sql injection. But the tool detects nothing. It is working in testcases, where I have to set no cookies. But when there is a session cookie involved, it does not work. First the output says: "cookies set by host..." => here it changes the session cookie to an other value somehow. Then: Found status HTTP 302 Redirection => I think it redirects to the login page, because the tool uses now an other session cookie(?). After that it goes on with testing, but it detects nothing. So maybe I am setting the cookie wrong. The same setup works well with sqlmap, so I guess I am using the tool wrong. Above is a picture of my request and the error. Also another question: How can I specify that for example only the parameter "title" gets tested.

Thank you! I am comparing sqli tools in my bachelor thesis, and yours is one of them :) I also wrote you a message on X, it would be nice if we can stay in touch, so that I can get the most out of your tool.

[ron190]

@DelvinBa I see that I've added endpoint /bWAPP/sqli_1.php to the scan list so it means I managed to inject the URL with jSQL. And it should work until at least bWAPP challenge 17 according to my tests.

You should check the URL parameters consistency and the preferences options. So retry the test with:

• same cookie characters (last semicolon included)
• check that your cookie is correct and session is active (check calls and response in your browser)
• same query string parameters order (param title after param action)
• with option Follow HTTP redirection enabled

[DelvinBa]

Thanks for the quick answer. My scans still detect nothing. Do your scans detect sql injections in bWAPP? In the screenshots below you can also see, that I get redirected to the login. Checking the network requests, the tabs "source" and "preview", reveal that I got redirected, right? I think that is a problem... There should be no redirect at all. I also get this exception "unable to create native thread: possibly out of memory or process/resource limits reached" sometimes.

[ron190]

You're right, cookie is not properly processed. Also it's working fine on jSQL v0.90 without any option required (see screenshot).

So I suppose that since v0.91 jSQL is aligned with the latest cookie rfc, and I guess bWAPP is maybe not compatible with latest cookie pattern (bWAPP source code is 10 years old).

Or I introduced a bug... Sad no regression has been detected by Spring integration tests when it passed from v0.90 to v0.91. Also jSQL CI/CD pipeline definitely requires to add apache/PHP integration tests to cover similar regression (and it need as well python, .net and node server integration tests).

Until I or anyone check in more detail you may download and use v0.90, thanks for the report.

[racocvr]

Hi there,

I have a similar issue. I noticed that the sent cookie value is surrounded by quotation marks. I wonder if that's the reason why it doesn't work.

[ron190]

I have a similar issue. I noticed that the sent cookie value is surrounded by quotation marks. I wonder if that's the reason why it doesn't work.

@racocvr Yes, you may retry with v0.90 until I get it fixed.

[ron190]

Fixed in v0.96. I've added you @DelvinBa as bug reporter into v0.96 release description and added both of you to rolling startup message in jSQL.

Reminding everyone who subscribed to the repo notifications and who are reading this note that you are welcome to contribute, free mention about contributors is usually displayed when the tool starts :)

Thanks again for the report.