What is meaning of Draw=3

sarooptrivedi

https://datatables.net/forums/discussion/32573/usage-of-draw-in-datatables
I seen your above link but in my cyber scan Datatables.net return the draw=3.
what is meaning of it?

allan

The draw parameter (used for server-side processing) is described here:

Sent to the server:

Draw counter. This is used by DataTables to ensure that the Ajax returns from server-side processing requests are drawn in sequence by DataTables (Ajax requests are asynchronous and thus can return out of sequence). This is used as part of the draw return parameter (see below).

Return:

The draw counter that this object is a response to - from the draw parameter sent as part of the data request. Note that it is strongly recommended for security reasons that you cast this parameter to an integer, rather than simply echoing back to the client what it sent in the draw parameter, in order to prevent Cross Site Scripting (XSS) attacks.

Allan

sarooptrivedi

Hey Allan,
My cyber scan returns this value
{"draw":3,"recordsFiltered":0,"recordsTotal":764,"data":[]}

I am still confused, draw is already casted with int. and it is part of sql injection erro through burpsuit

This is the error by burpsuit.
The columns%5B3%5D%5Bsearch%5D%5Bregex%5D parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the columns%5B3%5D%5Bsearch%5D%5Bregex%5D parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

allan

You'll need to tell me what your "cyber scan" is. A security scanner of some kind I guess - it sounds like it might be returning a false positive? You might need to get in touch with the provider to find out what is going on. If your draw parameter is an int, then there can be no injection attack against that parameter.

Allan