SQL Injection in String Fields Fuzzer
| Item | Description |
|---|---|
| Full Fuzzer Name | SqlInjectionInStringFieldsFuzzer |
| Log Key | SIISF |
| Description | This fuzzer sends SQL injection payloads into string fields to detect SQL injection vulnerabilities. It uses common SQLi patterns (boolean bypass, comment truncation, UNION-based extraction, and time-based payloads) and analyzes the response for evidence such as SQL error messages, schema leakage, or query result artifacts indicative of injection success. |
| Enabled by default? | Yes |
| Target field types | OpenAPI type string |
| Expected result when fuzzed field is required | 4XX |
| Expected result when fuzzed field is optional | 4XX |
| Expected result when fuzzed value is not matching field pattern | 4XX |
| Fuzzing logic | Iteratively replaces each string field with SQL injection payloads and sends the request to the API: 1. By default, a curated top list of SQLi payloads is used to reduce execution time. 2. If the --includeAllInjectionPayloads flag is enabled, a comprehensive payload set is used (boolean-based, comment-based, UNION SELECT, ORDER BY probing, and time-delay variants). 3. Each payload is injected into one field at a time while keeping the rest of the request unchanged. 4. Each request is expected to be rejected with 4XX. |
| Conditions when this fuzzer will be skipped | When the request payload is empty OR no string fields are present in the request payload (base behavior inherited from BaseSecurityInjectionFuzzer). |
| HTTP methods that will be skipped | HEAD, TRACE (inherited from BaseSecurityInjectionFuzzer) |
| Injection evidence detection | Analyzes the response body for multiple independent SQL indicators, including: • UNION SELECT output artifacts (e.g., presence of union + select plus query-like structures such as from, schema keywords, or table-like output formatting). • Database schema leakage (keywords like information_schema, pg_catalog, sqlite_master, sys.tables, mysql.user, etc.). • SQL error messages (keywords like sql syntax, syntax error, sqlstate, warning: mysql, database error, unterminated string, etc.), especially when combined with other indicators. The fuzzer flags a likely vulnerability when two or more indicators appear in the same response. |
| Reporting | Reports error if: 1. The response contains multiple SQL indicators suggesting injection success or information disclosure. 2. Server responds with 5XX while processing injection payloads. 3. An unexpected response code is returned. Reports info if: 1. Injection payload is properly rejected with 4XX. 2. Injection payload is accepted with 2XX but no strong evidence is detected (validation gap; verify parameterization and input handling). |