File write failure on scan (Burp on Windows 10)

Question

File write failure on scan (Burp on Windows 10)

Closed this issue 2 years ago · 3 comments

Version 1.15
Burp version 2022.3.8
Burp Build Number 13217
Burp Update Channel Stable
Windows 10
java.runtime.version 17.0.2+8-86

Errors produced on running a scan (lots of repeated)

[-] Unexpected OS file write was prevented.
[-] Error saving the file - saveFile IOException.
[-] Unexpected OS file write was prevented.
[-] Error saving the file - saveFile IOException.
[-] Unexpected OS file write was prevented.
[-] Error saving the file - saveFile IOException.

Answer 1 · 2022-06-24T18:52:17.000Z

Hello,

This behavior is intended. Just to clarify, these errors can occur during the JS Source Mapper scans (active or passive).

It seems the target website you were scanning had path traversal characters in the sources field(s) of the JS map files or base64 inline ones, which could lead to writing data outside of the intended directory.

Since this is extremely undesirable due to obvious security concerns, the scanner stops and throw these errors.

A better failover mechanism would be to store the files in the "tmp" directory for example. I can improve that in a future release.

Answer 2 · 2022-06-27T04:20:29.000Z

sanitize to remove ../ and save to root ?

Answer 3 · 2022-06-27T19:46:46.000Z

In general, block-listing is not a good approach from a security point of view.

Nevertheless, I double checked the code and did some testing, it seems that my earlier suggestion was already implemented - bad memory here sorry.

So even though these errors were triggered, the files should still be stored on your system in the "tmp" folder, can you please double check and confirm that?
Folder location should be in Burp's JS source mapper issue, which follows the following pattern:

<your-home-directory>/.BurpSuite/JS-Miner/<your-target-website.com>-<timeStamp>/tmp