Error when regex_replace "\\" to "\"

PortSwigger / BChecks

BChecks collection for Burp Suite Professional and Burp Suite Enterprise Edition

https://portswigger.net/burp/documentation/scanner/bchecks

GNU Lesser General Public License v3.0

588 stars 104 forks source link

Error when regex_replace "\\" to "\" #150

Closed nbxiglk0 closed 7 months ago

nbxiglk0 commented 7 months ago

Hi, i want to replace the "\\" characters to "\"(two back slash to one back slash) in response and then to do next check, but i get error when use regex_replace function,the example code like this if "[core]" in {regex_replace({check.response.body},"\\\\","\\")} then.
i got theUnexpected token \ error message, and i don't know what's wrong there.

Michelle-PortSwigger commented 7 months ago

I've been taking a look into this and have been able to replicate the validation error. To help me look into what other options might be available, can you tell me more about what you are trying to achieve with your BCheck? It would be good to get a better understanding of why the backslashes need to be replaced for the check on the response and the issue to be generated.

nbxiglk0 commented 7 months ago

For example, the program will add a backslash in front of the quotation marks to escape the quotation marks entered by the user to prevent the input content from escaping from the quotation marks, but the program forgets to escape the backslash itself.

Suppose there is such a response, <xx name='user input'>abcd</xx>, so this protection can be bypassed by injecting the formaaa\' onclick=alert(1) \', which will return <xx name='aaa\\' onclick=alert(1) \\''>abcd</xx> in the response , and if you want to verify whether the backslash is not escaped, you need to verify whether the response contains \' onclick=alert(1) \', and You can see that there will be two backslashes in the second quotation mark. This requires replacing the two backslashes before they can be matched correctly. If cheng'x escapes the backslashes, it will be \\\' onclick=alert(1) \\\''.

Michelle-PortSwigger commented 7 months ago

We've been running a couple of tests here and investikating the behavior. If you create some variables to define the match and replace values being used in the regex_replace, you should be able to achieve what you're describing. For example if you defined the following variable:

define:
    myvar=`\\\\\\\\`

and then used it in a regex_replace: regex_replace({base.response.body},"stuff",{myvar})

The string stuff would be replaced by \\

We are currently doing some further digging into a few inconsistencies we think may exist around the use of backslashes, but the above should give you a starting point.

nbxiglk0 commented 7 months ago

That's helpful, Thanks.