diff --git a/lib/controller/checks.py b/lib/controller/checks.py index b83f37e77..b30948050 100644 --- a/lib/controller/checks.py +++ b/lib/controller/checks.py @@ -452,7 +452,7 @@ def heuristicCheckSqlInjection(place, parameter, value): logger.info(infoMsg) else: infoMsg += "not be injectable" - logger.warning(infoMsg) + logger.warn(infoMsg) def checkDynParam(place, parameter, value): """ diff --git a/lib/core/common.py b/lib/core/common.py index a1903e9a8..ee3811687 100644 --- a/lib/core/common.py +++ b/lib/core/common.py @@ -67,6 +67,7 @@ from lib.core.settings import DUMP_DEL_MARKER from lib.core.settings import DUMP_TAB_MARKER from lib.core.settings import DUMP_START_MARKER from lib.core.settings import DUMP_STOP_MARKER +from lib.core.settings import MIN_TIME_RESPONSES class UnicodeRawConfigParser(RawConfigParser): """ @@ -1542,7 +1543,15 @@ def wasLastRequestDelayed(): # 99.9999999997440% of all non time-based sql injection # affected response times should be inside +-7*stdev([normal response times]) # (Math reference: http://www.answers.com/topic/standard-deviation) - return (kb.lastQueryDuration >= average(kb.responseTimes) + 7 * stdev(kb.responseTimes)) + deviation = stdev(kb.responseTimes) + if deviation: + if len(kb.responseTimes) < MIN_TIME_RESPONSES: + warnMsg = "time based standard deviation method used " + warnMsg += "on a model with less than %d response times" % MIN_TIME_RESPONSES + logger.warn(warnMsg) + return (kb.lastQueryDuration >= average(kb.responseTimes) + 7 * deviation) + else: + return kb.lastQueryDuration - conf.timeSec def extractErrorMessage(page): """ diff --git a/plugins/dbms/sqlite/connector.py b/plugins/dbms/sqlite/connector.py index 0414a9626..7780a2b03 100644 --- a/plugins/dbms/sqlite/connector.py +++ b/plugins/dbms/sqlite/connector.py @@ -49,7 +49,7 @@ class Connector(GenericConnector): except (self.__sqlite.DatabaseError, self.__sqlite.OperationalError), msg: warnMsg = "unable to connect using SQLite 3 library, trying with SQLite 2" - logger.warning(warnMsg) + logger.warn(warnMsg) try: try: