Skip to content

ascanrules: Oracle SQLi use DBMS_SESSION.SLEEP #6630

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 16, 2025
Merged

ascanrules: Oracle SQLi use DBMS_SESSION.SLEEP #6630

merged 1 commit into from
Sep 16, 2025

Conversation

@kingthorin
Copy link
Member

@kingthorin kingthorin commented Jul 28, 2025
edited
Loading

Overview

The SQL Injection - Oracle (Time Based) rule now uses DBMS_SESSION.SLEEP instead of an "expensive" query.

Related Issues

@thc202
Copy link
Member

thc202 commented Jul 28, 2025

Why use it at all in insane?

@psiinon
Copy link
Member

psiinon commented Jul 28, 2025
edited
Loading

Logo
Checkmarx One – Scan Summary & Detailsac397a53-1dbc-45e8-b875-abe4dbe1dbdc

Great job! No new security vulnerabilities introduced in this pull request

Use @Checkmarx to reach out to us for assistance.

Just send a PR comment with @Checkmarx followed by a natural language request.

Examples: @Checkmarx how are you able to help me? @Checkmarx rescan this PR

@kingthorin
Copy link
Member Author

kingthorin commented Jul 28, 2025
edited
Loading

Why use it at all in insane?

You mean use only the expensive one at insane? I hadn't put any thought into it. However, now that you've brought it up: Simply because of the length (character count) of the "expensive" version and shouldn't we be increasing the coverage/payloads not trying something totally different? (I think most other places we do more and more, not switch completely)

Or have I totally missed your question?

@thc202
Copy link
Member

thc202 commented Jul 28, 2025

I mean remove the pseudo expensive.

@kingthorin kingthorin force-pushed the oracle-sleep branch 3 times, most recently from 5bf50cb to 10cc765 Compare July 29, 2025 11:42
@kingthorin kingthorin force-pushed the oracle-sleep branch 2 times, most recently from a0acbe4 to 6a2092b Compare August 27, 2025 10:57
thc202
thc202 reviewed Sep 15, 2025
View reviewed changes
@kingthorin
Copy link
Member Author

kingthorin commented Sep 15, 2025

Done & done

thc202
thc202 reviewed Sep 15, 2025
View reviewed changes
@thc202
Copy link
Member

thc202 commented Sep 15, 2025

#6630 (comment)

There's still #6630 (comment)

@kingthorin
Copy link
Member Author

kingthorin commented Sep 15, 2025

Got all those I think.

@kingthorin kingthorin force-pushed the oracle-sleep branch 3 times, most recently from 7cff8f3 to 9fadf75 Compare September 15, 2025 21:43
@thc202
Copy link
Member

thc202 commented Sep 16, 2025

Thank you!

@psiinon psiinon merged commit fbd5d5b into zaproxy:main Sep 16, 2025
9 checks passed
@github-actions github-actions bot locked and limited conversation to collaborators Sep 16, 2025
@kingthorin kingthorin deleted the oracle-sleep branch September 16, 2025 09:08
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@psiinon psiinon psiinon approved these changes

@thc202 thc202 thc202 approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kingthorin @thc202 @psiinon