File tree Expand file tree Collapse file tree 3 files changed +9
-3
lines changed
Expand file tree Collapse file tree 3 files changed +9
-3
lines changed Original file line number Diff line number Diff line change 5454from lib .core .settings import EMPTY_FORM_FIELDS_REGEX
5555from lib .core .settings import IGNORE_PARAMETERS
5656from lib .core .settings import LOW_TEXT_PERCENT
57+ from lib .core .settings import GOOGLE_ANALYTICS_COOKIE_PREFIX
5758from lib .core .settings import HOST_ALIASES
5859from lib .core .settings import REFERER_ALIASES
5960from lib .core .settings import USER_AGENT_ALIASES
@@ -452,7 +453,7 @@ def start():
452453 logger .info (infoMsg )
453454
454455 # Ignore session-like parameters for --level < 4
455- elif conf .level < 4 and parameter .upper () in IGNORE_PARAMETERS :
456+ elif conf .level < 4 and ( parameter .upper () in IGNORE_PARAMETERS or parameter . upper (). startswith ( GOOGLE_ANALYTICS_COOKIE_PREFIX )) :
456457 testSqlInj = False
457458
458459 infoMsg = "ignoring %s parameter '%s'" % (place , parameter )
Original file line number Diff line number Diff line change 9797from lib .core .settings import FORCE_COOKIE_EXPIRATION_TIME
9898from lib .core .settings import FORM_SEARCH_REGEX
9999from lib .core .settings import GENERIC_DOC_ROOT_DIRECTORY_NAMES
100+ from lib .core .settings import GOOGLE_ANALYTICS_COOKIE_PREFIX
100101from lib .core .settings import HASHDB_MILESTONE_VALUE
101102from lib .core .settings import HOST_ALIASES
102103from lib .core .settings import INFERENCE_UNKNOWN_CHAR
@@ -556,8 +557,9 @@ def paramToDict(place, parameters=None):
556557 testableParameters [parameter ] = "=" .join (parts [1 :])
557558 if not conf .multipleTargets :
558559 _ = urldecode (testableParameters [parameter ], convall = True )
559- if _ .strip (DUMMY_SQL_INJECTION_CHARS ) != _ \
560- or re .search (r'\A9{3,}' , _ ) or re .search (DUMMY_USER_INJECTION , _ ):
560+ if (_ .strip (DUMMY_SQL_INJECTION_CHARS ) != _ \
561+ or re .search (r'\A9{3,}' , _ ) or re .search (DUMMY_USER_INJECTION , _ ))\
562+ and not parameter .upper ().startswith (GOOGLE_ANALYTICS_COOKIE_PREFIX ):
561563 warnMsg = "it appears that you have provided tainted parameter values "
562564 warnMsg += "('%s') with most probably leftover " % element
563565 warnMsg += "chars/statements from manual SQL injection test(s). "
Original file line number Diff line number Diff line change 340340# Regular expression used for recognition of ASP.NET control parameters
341341ASP_NET_CONTROL_REGEX = r"(?i)\Actl\d+\$"
342342
343+ # Prefix for Google analytics cookie names
344+ GOOGLE_ANALYTICS_COOKIE_PREFIX = "__UTM"
345+
343346# Turn off resume console info to avoid potential slowdowns
344347TURN_OFF_RESUME_INFO_LIMIT = 20
345348
You can’t perform that action at this time.
0 commit comments