False positive when check URL section?

[tghosth]

Hi James,

On a couple of scans now, I have seen it return me:

Interesting input handling: File Path Manipulation Successful probes:

• File Path Manipulation (./../ vs ./z/../)

It has been run on GET /api/v1/valid_API and it has sent GET /api/v1/./../valid_API which returns a 404 because that API does not exist there and then it sends GET /api/v1/./z/../valid_API which has responded with a 200, presumably because the server is cancelling out the z and the .. which seems sensible.

Is this a false positive or am I targeting the scan incorrectly?

Cheers :)

[albinowax]

This isn't exactly a false positive, but it's not really something worth reporting as a scanner issue either - it's expected behaviour for webservers. I'll see if I can make the scanner skip doing file path manipulation checks when it's injecting into the path.

[albinowax]

This should be fixed now: https://github.com/PortSwigger/backslash-powered-scanner/commit/4c2f93f0b5592816830eeae680bdb4d95185da3d