Logsensor: Scanning Thousands of Subdomains for Login Panels and POST-Based SQL Injection

Hook

Most SQL injection scanners miss POST-based vulnerabilities in login forms—the exact attack surface where credentials and sensitive data flow through applications every second.

Context

Bug bounty reconnaissance typically involves two separate workflows: discovering login panels across dozens or hundreds of subdomains, then testing those endpoints for vulnerabilities. Tools like dirsearch or ffuf excel at finding paths, while sqlmap dominates injection testing, but bridging these workflows means managing output files, parsing results, and manually feeding targets from one tool into another.

Logsensor emerged from this friction point in the bug bounty ecosystem. When you're triaging a scope with 500 subdomains, you need to quickly identify which applications expose authentication surfaces and whether those forms have obvious SQLi vulnerabilities before investing time in deeper testing. The tool addresses a specific gap: automated POST-based SQL injection testing on discovered login panels, something that requires either manual work or complex tool chaining with traditional scanners.

Technical Insight

At its core, Logsensor implements two scanning modes that share a common multiprocessing architecture. The login panel discovery mode performs concurrent HTTP requests across target URLs, using BeautifulSoup to parse HTML responses and identify form elements based on configurable patterns.

The multiprocessing implementation is straightforward but effective. Here's how the tool structures concurrent scanning:

from multiprocessing.dummy import Pool as ThreadPool
import requests
from bs4 import BeautifulSoup

def scan_login_panel(url):
    try:
        response = requests.get(url, timeout=10, verify=False)
        soup = BeautifulSoup(response.content, 'html.parser')
        
        # Look for common login form indicators
        forms = soup.find_all('form')
        for form in forms:
            inputs = form.find_all('input')
            input_types = [inp.get('type') for inp in inputs]
            
            if 'password' in input_types:
                return {'url': url, 'status': 'LOGIN_FOUND', 'form': form}
    except:
        pass
    return None

# Process multiple targets concurrently
pool = ThreadPool(30)  # Default thread count
results = pool.map(scan_login_panel, target_urls)
pool.close()
pool.join()

The login detection logic relies on password input field identification—a simple heuristic that catches most authentication forms while generating minimal false positives. The tool also searches for common login-related keywords in form actions and input names (like "login", "signin", "auth"), which you can customize through command-line parameters to match specific application patterns.

Where Logsensor differentiates itself is the POST-based SQLi module. Rather than just discovering forms, it actively tests them by injecting payloads into POST parameters and analyzing responses for database error signatures. The tool maintains a payload list with common error-based injection strings:

sqli_payloads = [
    "'",
    "')",
    "' OR '1'='1",
    "' OR '1'='1'--",
    "admin' --",
    "' UNION SELECT NULL--",
    "1' ORDER BY 1--+",
    "1' ORDER BY 2--+",
    "1' ORDER BY 3--+"
]

error_signatures = [
    "SQL syntax",
    "mysql_fetch",
    "Warning: mysql",
    "PostgreSQL.*ERROR",
    "ORA-[0-9][0-9][0-9][0-9]",
    "Microsoft SQL Native Client error",
    "SQLite/JDBCDriver",
    "SQLite.Exception"
]

For each discovered form, the scanner extracts input field names, constructs POST requests with injected payloads, and performs regex matching against response bodies for database-specific error messages. When an error signature matches, Logsensor flags the form as potentially vulnerable and logs the specific payload and database type detected.

The proxy support is particularly useful for bug bounty workflows. By routing requests through Burp Suite or similar tools, you can inspect the exact payloads being sent, modify them on the fly, or save interesting requests for manual exploitation:

python logsensor.py -t targets.txt --sqli --proxy http://127.0.0.1:8080

This integration point transforms Logsensor from a standalone scanner into a payload generator that feeds your interception proxy, letting you leverage both automation and manual testing techniques. The tool handles the tedious work of form discovery and parameter extraction while you focus on analyzing responses and crafting advanced exploitation techniques.

One architectural choice worth noting: Logsensor uses multiprocessing.dummy.Pool (thread-based) rather than true multiprocessing with separate Python processes. For I/O-bound HTTP requests, threading provides better performance than process-based parallelism while avoiding the overhead of inter-process communication. The default 30-thread configuration balances scan speed against overwhelming target servers or triggering rate limiting.

Gotcha

The tool's SQLi detection is limited to error-based injection, meaning it completely misses blind and time-based vulnerabilities—techniques that constitute the majority of SQLi findings in modern applications with proper error handling. The GitHub roadmap lists time-based blind SQLi as "TODO", but this remains unimplemented. If an application returns generic error pages or swallows database errors (which is increasingly common), Logsensor will report no vulnerabilities even when severe SQLi exists.

There's also no WAF evasion or obfuscation capabilities. The payloads are sent exactly as written in the payload list, making them trivial for any modern web application firewall to detect and block. During testing against applications with Cloudflare or AWS WAF, you'll likely see your IP banned before completing a scan. The tool lacks randomized delays, user-agent rotation, or header manipulation—basic features needed for stealthy reconnaissance. Additionally, the error signatures are relatively limited and may miss database-specific error patterns from less common systems like MariaDB, CockroachDB, or proprietary databases. You're essentially trading comprehensive coverage for speed and simplicity.

Verdict

Use if you're conducting bug bounty reconnaissance on large scope lists (100+ subdomains) and need rapid triage to identify authentication surfaces worth manual investigation, or if you're specifically hunting low-hanging fruit in older applications that leak verbose database errors. This is a first-pass filtering tool that excels at quickly narrowing down targets from hundreds to dozens.

Skip if you need comprehensive SQLi testing beyond error-based detection, require stealth and WAF evasion for professional engagements, want authenticated scanning capabilities, or need structured output for integration with reporting platforms. For those scenarios, invest time in sqlmap for thorough injection testing or nuclei for template-based scanning with better extensibility. Logsensor occupies a narrow but useful niche—it won't replace your primary testing tools, but it might save you several hours of manual form hunting during initial reconnaissance.