CVE-2023-25690 vulnerability script the false positive rate is too high

[JaveleyQAQ]

For the CVE-2023-25690 vulnerability script, the false positive rate is too high. In default scanning mode, Burp Suite cannot distinguish static files, leading to a higher false positive rate. For example, when accessing http://example.com/test.js?v=1 if the script's payload is added on this basis, false positive results will be generated.

I have not conducted in-depth research on this vulnerability, so I cannot provide detailed recommendations. However, relying solely on the "split" request response code as the basis for the vulnerability is clearly not rigorous enough.

[Michelle-PortSwigger]

Hi

This is a BCheck that was originally written by one of the community members rather than one of us here at PortSwigger.

Have you also had genuine issues reported by this BCheck or have you only ever had false positives reported?

[Hannah-PortSwigger]

Some improvements have been made to this BCheck - please let us know if you're still experiencing this issue.

[p80n-sec]

Just looking at this fix. While addressing the false positives of static files, this fix does not detect the flaw in a large amount of cases now. It makes the assumption that base responses are not 200s. When initially finding this flaw a majority of cases started with base 200 responses. I will see if I can make some adjustments to account for static flaws besides just a 200 gate

[JaveleyQAQ]

Just looking at this fix. While addressing the false positives of static files, this fix does not detect the flaw in a large amount of cases now. It makes the assumption that base responses are not 200s. When initially finding this flaw a majority of cases started with base 200 responses. I will see if I can make some adjustments to account for static flaws besides just a 200 gate

Static detection of defects is not your fault, scanner legacy problems. If you just rely on resp 200 to judge that the false positive is too high. Some dynamic pages are only used to record information. No matter what parameters the user submits, it only records and returns 200. This can lead to false positives. In short, I encountered a lot of different situations, so I chose not to enable this plug-in, so I have never tested it successfully.

[Michelle-PortSwigger]

@p80n-sec Thanks for the feedback :)

BChecks are very much a community effort. We'd love to see what improvements you can make to this one. Once you've made your adjustments, please feel free to send a PR with them!

[PortSwiggerWiener]

Reopening until false negatives issue addressed.