search

PortSwigger / BChecks

BChecks collection for Burp Suite Professional and Burp Suite Enterprise Edition
https://portswigger.net/burp/documentation/scanner/bchecks
GNU Lesser General Public License v3.0
588 stars 104 forks source link

CVE-2017-9248 #151

Closed 2009panda closed 7 months ago

2009panda commented 7 months ago

Add bcheck for CVE-2017-9248, It looks for telerik version code numbers e.g. 2015.2.623 in responses, and if it finds one, creates an issue.

PortSwiggerWiener commented 7 months ago

Thanks for your submission. Looks like an interesting idea.

Is there something unique to Telerik UI that we can also look for within the response in order to minimize the chance of this raising false positives?

2009panda commented 7 months ago

Hi, the two ways I've found to enumerate Telerik UI version is to look for html comments containing the version number, such as follows image

and from script tags in responses where Telerik UI javascript is loaded. image

The problem is, not always both are present, so by checking only for version number (as is done in the bcheck) instead of Version%3d{version_number}, it should cover both scenarios.

PortSwiggerWiener commented 7 months ago

Excellent. So one options would be to generalize your checking to include either of these, but as you said, you may miss some scenarios. Perhaps a better option would be to look for something unrelated to the version that is specific to Telerik. So the logic would be something like:

if ((<some test to fingerprint Telerik UI>) and ("2007.1423" in {latest.response.body} or "2007.1521" in {latest.response.body} ... or "2017.1.118" in {latest.response.body})) then

2009panda commented 7 months ago

Excellent. So one options would be to generalize your checking to include either of these, but as you said, you may miss some scenarios. Perhaps a better option would be to look for something unrelated to the version that is specific to Telerik. So the logic would be something like:

if ((<some test to fingerprint Telerik UI>) and ("2007.1423" in {latest.response.body} or "2007.1521" in {latest.response.body} ... or "2017.1.118" in {latest.response.body})) then

Thanks for the input, i added a check for the presence of "Telerik.Web.UI.WebResource.axd", which should eliminate the risk of raising false positives, it now looks like this

if (("Telerik.Web.UI.WebResource.axd" in {latest.response.body}) and ("2007.1423" in {latest.response.body} or "2007.1521" in {latest.response.body} ... or "2017.1.118" in {latest.response.body})) then

michael-eaton-portswigger commented 4 months ago

@2009panda As a contributor to our GitHub repository, we would like to invite you to our closed Discord community.

It is a place where passionate Burp users, including people who directly work on building and developing Burp here at PortSwigger, can talk about the tooling and web security in general.

If you would like to join, please email us at support@portswigger.net and we will send over an invite link.

Thank you!