added IGNORE_PARAMETERS to skip testing of state/session web server parameters

stamparm · stamparm · commit 21114d17486b · 2011-04-13T19:01:02.000Z
diff --git a/lib/controller/controller.py b/lib/controller/controller.py
@@ -44,6 +44,7 @@
 from lib.core.exception import sqlmapUserQuitException
 from lib.core.session import setInjection
 from lib.core.settings import EMPTY_FORM_FIELDS_REGEX
+from lib.core.settings import IGNORE_PARAMETERS
 from lib.core.settings import REFERER_ALIASES
 from lib.core.settings import USER_AGENT_ALIASES
 from lib.core.target import initTargetEnv
@@ -369,6 +370,12 @@ def start():
                             infoMsg = "skipping previously processed %s parameter '%s'" % (place, parameter)
                             logger.info(infoMsg)
 
+                        elif parameter.upper() in IGNORE_PARAMETERS:
+                            testSqlInj = False
+
+                            infoMsg = "ignoring %s parameter '%s'" % (place, parameter)
+                            logger.info(infoMsg)
+
                         # Avoid dinamicity test if the user provided the
                         # parameter manually
                         elif parameter in conf.testParameter or conf.realTest:
diff --git a/lib/core/settings.py b/lib/core/settings.py
@@ -301,3 +301,6 @@
 
 # Maximum integer value
 MAX_INT = sys.maxint
+
+# Parameters to be ignored in detection phase
+IGNORE_PARAMETERS = ("__VIEWSTATE", "__EVENTARGUMENT", "__EVENTTARGET", "__EVENTVALIDATION")
