Consolidate

Question

Consolidate

Closed this issue 7 years ago · 4 comments

Could we consolidate versions if it is the same version on the same host?

For example if example.org has several time "nginx/1.10.1" in the HTTP server response header, I get 158 issues reported in Burp, although one is enough if the host is the same and the version string is the same but on different URLs.

Answer 1 · 2017-02-16T21:57:15.000Z

I've experienced this as well. I think Burp doesn't automatically consolidate duplicates across multiple URLs for the same domain. That is, it only attempts to consolidate issues for the same domain and URL path. This is a good question for the PortSwigger support forums.

Answer 2 · 2017-02-16T22:07:12.000Z

Actually, the question has been asked already: https://support.portswigger.net/customer/portal/questions/14330400-iscannercheck-consolidate-duplicate-issues-method

The consolidateDuplicateIssues method does not even get called unless there are already existing issues from the same domain and path. Some custom code will be required to:

Run each time a new version is found
Get the list of issues for this domain
Compare existing issues with the new new finding
Only create new scanner issues when there is no duplicate on the same domain

Is there ever a case where you would want to have multiple findings? For example in retesting, to make sure that all locations were fixed?

Answer 3 · 2017-02-17T12:44:19.000Z

I think not. In retesting cases you want to find any response that has the version in it, therefore one is again enough.

I think the easiest way to memorize what issues were generated is by simply storing a dictionary (that's python, in Java that would be a hashmap I guess) which maps hostnames to a list of found version strings. That way you can simply check if it was already reported or not. Your suggestion is maybe better when you restart burp as the hashmap I suggest is probably not persisted, but then that's a minor issue because that would simply mean you get a maximum of N restart duplicate issues.

Answer 4 · 2017-03-14T00:00:34.000Z

Added PR #33 to address this. I'm still not 100% satisfied with it but it is a start. Would appreciate if you could try out the consolidate-duplicates branch and give feedback.

One edge case: Deleting scanner issues from the target tab does not reset the cache of previously discovered versions. Subsequent finds of the same version string will no longer result in a new issue being added.