albinowax
commented
4 years ago That's definitely not how it's meant to work. By default, there should be no cachebuster. Maybe threadfix itself is adding a cachebuster?
Closed mcgyver5 closed 4 years ago
albinowax
commented
4 years ago That's definitely not how it's meant to work. By default, there should be no cachebuster. Maybe threadfix itself is adding a cachebuster?
mcgyver5
commented
4 years ago Hi and thank you for responding.
I pointed it at a simple PHP application that is definitely not adding its own cachebuster.
The results are that it is adding a default dynamic one if I do not request any cachebuster:
GET|1579231723|/var/www/html/cspot.php|cbutt_hbutt=9009&zg791=1
If I check "dynamic cachebuster" in the options prior to the scan, I get two dynamic values (not 3).
GET|1579232037|/var/www/html/cspot.php|cbutt_hbutt=jello&k=39&pmagk5=1&mbx71=1
if I check 'fcbz', I get one fcbz parameter and the default dynamic one:
GET|1579232758|/var/www/html/cspot.php|cbutt_hbutt=jello&k=77&o0j3nr6=1&fcbz=1
So it would seem that Threadfix is adding something but also the extension is adding a default dynamic cachebuster of its own.
albinowax
commented
4 years ago OK, can you
mcgyver5
commented
4 years ago here is the response as output in the browser:
GET / HTTP/1.1 Host: waf.party:8080 Connection: Keep-Alive Accept-Encoding: gzip CF-IPCountry: US X-Forwarded-For: 136.234.105.218 CF-RAY: 55691c928819c62f-MSP X-Forwarded-Proto: http CF-Visitor: {"scheme":"http"} User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: __cfduid=d7d914e7303e27f90545c4c99bb4dc6211579271900 Upgrade-Insecure-Requests: 1 CF-Connecting-IP: 136.234.105.218 CDN-Loop: cloudflare
albinowax
commented
4 years ago Great thanks, so this shows that you aren't getting a cachebuster here. If you re-enable your other extensions, do you find a cachebuster appears?
mcgyver5
commented
4 years ago I did not have any other extensions enabled before, so nothing to re-enable. I am confused now about difference between visiting the site while proxying thru Burp and clicking "Guess Headers" when right clicking. The behavior I am seeing is from the Guess headers! command in Burp. I don't see the same default cachebuster in my logs when I only visit my site when proxying through Burp (I do have auto-mine selected in the param-miner configuration).
albinowax
commented
4 years ago Ahh I see, I thought you were talking about using the proxy. When using 'Guess headers', Param Miner always adds a dynamic cachebuster since it simply wouldn't work on sites that use caching otherwise. It's correct that this could lead to multiple cache-busters in some cases, but that's expected and generally harmless.
mcgyver5
commented
4 years ago ok! Thank you for clearing that up for me.
adon90
commented
4 years ago Could you share how you use to run: "Guess Headers!" ?
I use this normally:
But I think it is more effective, generally speaking to run it like this:
I mean, with "dynamic cache" and without "learn observed words" (maybe this is better for guess parameters)
GZ for this epic burp plugin, Regards
mcgyver5
commented
4 years ago I run "guess headers" by right clicking an item in the target tab.
My experience is that when I don't select any cachebuster option, I get a default dynamic one in my application's access logs:
"GET /threadfix/about?h07f4k0=1 HTTP/1.1" 200 22684If I select "fcbz", I get the default one in addition to two fcbz parameters.
"GET /threadfix/login.jsp?fcbz=1&illliqv90=1&fcbz=1 HTTP/1.1" 200 6501If I select "dynamic", then i get three dynamic cachebusting parameters (the default one plus two others):
Is the dynamic option necessary, then?