wagiro/BurpBounty

InsertionPoints conflicts with thorough burp scan mode and breaks the scanning process

phonexicum opened this issue · 1 comments

phonexicum commented

Conditions

  1. I have used BurpSuite v2020.8.1

  2. BurpBounty (installed from portswigger's store, v3.4)

  3. Using standard scanner. Profile configuration:

    • Audit speed: thorough
    • Audit accuracy: minimize false positives.
    • Enable only 4 scanner checks: SMTP header injection, OS command injection - string echo, OS command injection - time delays, Server-side template injection.
    • disable ALL "insertion point types" for the scan

Description

BurpBounty creates additional insertion points. These insertion points will be scanned by 4 built-in scanner checks we have enabled in profile. Here is issued requests (captured from Logger++):
image
As you may see the request is broken because it is not properly encoded and \n brokes everything.
Other checks (if they will be enabled) is also useless because they may contain special symbols which should have been URL-encoded.

As an example on my project the web-server didn't responded for such broken requests. This resulted in a broken scanner:
image

Consequences

  1. A lot of useless requests are been sent, which will not discover any vulnerabilities.

  2. Depending on web server, the situation may result in constantly broken scanner (unless you troubleshoot the problem and disable those 4 built-in checks I have mentioned previously). (To trigger this bug the "Thorough" audit speed is required)

  3. My personal view is: additional insertion points are very unexpected behavior. And I really want the ability to disable them + the burpsuite's API design assumes it is the business of every insertion point how to encode the payload. And personally I found such concept very useful. Therefore if I wish to enable the insertion points I will do it only if they encodes the payloads correctly. Or to be more flexible: if I can configure how the payloads will be encoded for particular insertion point.

wagiro commented

Hi @phonexicum !

Thanks for the issue. When you scan with Burp Bounty in the logger++ not appear Scanner, appear Extender, like this:

image

Anyway, you can disable and enable the new insertion points created by the extension in Active profile->Request->Payoad Options->Insertion point type.

If you disable the insertion point type "Path Discovery" the new insertion points will not be sent to the scanner:

image

If I can help you with something else, don't hesitate to tell me.

Best regards.