@@ -394,7 +394,6 @@ private void searchForMathsExecution(
394394 HttpMessage newMsg = getNewMsg ();
395395 setParameter (newMsg , paramName , renderTest );
396396 sendAndReceive (newMsg , false );
397- sendAndReceive (newMsg , true );
398397
399398 for (SinkPoint sink : sinksToTest ) {
400399
@@ -432,6 +431,44 @@ private void searchForMathsExecution(
432431 }
433432 }
434433 }
434+ sendAndReceive (newMsg , true );
435+ for (SinkPoint sink : sinksToTest ) {
436+
437+ String output = sink .getCurrentStateInString (newMsg , paramName , renderTest );
438+
439+ for (String renderResult : renderExpectedResults ) {
440+ // Some rendering tests add html tags so we can not only search for
441+ // the delimiters with the arithmetic result inside. Regex searches
442+ // may be expensive, so first we check if the result exist in the
443+ // response and only then we check if it inside the delimiters and
444+ // was originated by our payload.
445+ String regex =
446+ "[\\ w\\ W]*"
447+ + DELIMITER
448+ + ".*"
449+ + renderResult
450+ + ".*"
451+ + DELIMITER
452+ + "[\\ w\\ W]*" ;
453+
454+ if (output .contains (renderResult )
455+ && output .matches (regex )
456+ && sstiPayload .engineSpecificCheck (regex , output , renderTest )) {
457+
458+ String attack = getOtherInfo (sink .getLocation (), output );
459+
460+ createAlert (
461+ newMsg .getRequestHeader ().getURI ().toString (),
462+ paramName ,
463+ renderTest ,
464+ attack )
465+ .setMessage (newMsg )
466+ .raise ();
467+ found = true ;
468+ }
469+ }
470+ }
471+
435472 } catch (SocketException ex ) {
436473 LOGGER .debug ("Caught {} {}" , ex .getClass ().getName (), ex .getMessage ());
437474 } catch (IOException ex ) {
0 commit comments