Feature Request: 302 redirect - option to display the GET/POST data that triggered the redirect #2775
Comments
|
hah, oops, I posted this with the company account. |
|
Well, you have multiple mechanisms to do that. You have One important thing. Redirects (of any kind) are something that occurs quite often. sqlmap does not have a mechanism to distinguish whether some request was a result of successful login, or maybe some protection mechanism got introduced in the middle of test, or .... I could do some generic stuff, but I am really scared that users won't know what to do with that info. Also, in lots of cases, claiming that something was resulting with "successful" login will introduce lots and lots of new issue where people will nag how they are getting some new "false positives" |
|
Ah. You make good points. |
|
@stamparm I have a better idea: As soon as it finds a coincidence about the exit from the site, we can offer the user cookies |
What's the problem (or question)?
sqlmap will sometimes trigger a login event when pointed at a login page by bypassing the actual login during its testing process. If this happens, it would be awesome to get the actual string (to then use with curl, burp, or other tools) to be displayed, or otherwise to give the user a notification saying "oops, it looks like we logged in, here's the resulting session cookie".
Do you have an idea for a solution?
Yes - just display the data that is already collected for debug purposes to the user. This could be appended to the 302 redirect handler so that if 'suddenly when testing a page it gets redirected to another page', its highly likely that one of the tests has bypassed the login.
The text was updated successfully, but these errors were encountered: