Open dnet opened 6 years ago
It is a tough call. The regex is already pretty specific, so making changes could create a false negative situation.
It seems like the issues you have reported so far (this and #45) have come on .js files. Maybe we should really be looking at a way to specify the types of files (either MIME type or extension) that should be scanned, or lowering the confidence of results when they appear on what should be a static file.
That's a great idea, methods [getInferredMimeType()
](https://portswigger.net/burp/extender/api/burp/IResponseInfo.html#getInferredMimeType()) and [getStatedMimeType()
](https://portswigger.net/burp/extender/api/burp/IResponseInfo.html#getStatedMimeType()) of the class IResponseInfo
could be used for getting the MIME type of the response. Sometimes these JS monsters are generated dynamically, so file extension is non-existent in the request, however, it could still be useful, method [getURL
](https://portswigger.net/burp/extender/api/burp/IRequestInfo.html#getUrl()) of the class IRequestInfo
is a good way to get that. Maybe with a blacklist approach (like ignore this rule if MIME type or extension suggests JS) we could minimize false negatives.
What do you think? Should I implement this and submit a pull request, or do you prefer to tackle it?
I'd prefer to see the confidence rating bumped down by one (e.g. Firm -> Tentative) rather than having the rule be completely skipped. As you say, sometimes these files are generated dynamically, and that could throw errors.
It will be a while before I have time to do this so by all means send a pull request!
I'd prefer to see the confidence rating bumped down by one (e.g. Firm -> Tentative) rather than having the rule be completely skipped.
I just had the same thought ~15 minutes after posting my reply. :)
The LDAP regex looks like this
However, we've found minified JS code that happened to use
o
andc
right next to each other in a variable declaration, thus they were delimited by commas.What would be a good fix? Would removing
o
andc
(but leaving the five others) really harm LDAP exception detection that much?