Closed floyd-fuh closed 7 years ago
albinowax
commented
7 years ago Are you running the version from the BApp store, or the latest version from here? This looks like this issue: https://github.com/PortSwigger/backslash-powered-scanner/issues/5
floyd-fuh
commented
7 years ago Right, sorry for not checking the closed bugs. Can you please update the version in the BApp store?
albinowax
commented
7 years ago Yep, working on it...
Servers usually do URL path normalization, which means a URI in HTTP such as http://example.com/test/../index.php is equivalent to http://example.com/index.php as specified in https://tools.ietf.org/html/rfc3986#section-5.2.4
You usually don't see this in browsers as they will normalize before sending the URL to the server. However, in burp you obviously can.
Lets say the plugin sees the following URL: http://example.com/a/index.php
This plugin does the following tests: http://example.com/a/./../index.php (not equivalent after serverside normalization: searching in web root) http://example.com/a/./z/../index.php (equivalent to the original URL after serverside normalization)
There is little benefit in doing this, as this will simply test if there is a index.php in the web root directory and compare it to the original response for the URL. This produces a lot of false postives.
Even worse, when the original URL is http://example.com/index.php as http://example.com/./../index.php results in a 400 Bad Request in Apache (can you confirm?).
I suggest you either don't do the file manipulation tests in the URL path (however, this would require more testing, as normalization should take place on the server side) or change the Confidence of the finding to Tentative and Severity to Low when doing File Path Manipulation in URL paths.