What is meaning of Draw=3

What is meaning of Draw=3

sarooptrivedisarooptrivedi Posts: 59Questions: 18Answers: 2

https://datatables.net/forums/discussion/32573/usage-of-draw-in-datatables
I seen your above link but in my cyber scan Datatables.net return the draw=3.
what is meaning of it?

This question has an accepted answers - jump to answer

Answers

  • allanallan Posts: 63,205Questions: 1Answers: 10,415 Site admin

    The draw parameter (used for server-side processing) is described here:

    Sent to the server:

    Draw counter. This is used by DataTables to ensure that the Ajax returns from server-side processing requests are drawn in sequence by DataTables (Ajax requests are asynchronous and thus can return out of sequence). This is used as part of the draw return parameter (see below).

    Return:

    The draw counter that this object is a response to - from the draw parameter sent as part of the data request. Note that it is strongly recommended for security reasons that you cast this parameter to an integer, rather than simply echoing back to the client what it sent in the draw parameter, in order to prevent Cross Site Scripting (XSS) attacks.

    Allan

  • sarooptrivedisarooptrivedi Posts: 59Questions: 18Answers: 2

    Hey Allan,
    My cyber scan returns this value
    {"draw":3,"recordsFiltered":0,"recordsTotal":764,"data":[]}

    I am still confused, draw is already casted with int. and it is part of sql injection erro through burpsuit

    This is the error by burpsuit.
    The columns%5B3%5D%5Bsearch%5D%5Bregex%5D parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the columns%5B3%5D%5Bsearch%5D%5Bregex%5D parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

  • allanallan Posts: 63,205Questions: 1Answers: 10,415 Site admin
    Answer ✓

    You'll need to tell me what your "cyber scan" is. A security scanner of some kind I guess - it sounds like it might be returning a false positive? You might need to get in touch with the provider to find out what is going on. If your draw parameter is an int, then there can be no injection attack against that parameter.

    Allan

Sign In or Register to comment.