search

augustd / burp-suite-error-message-checks

Burp Suite extension to passively scan for applications revealing server error messages
64 stars 23 forks source link

False positive caused by one character matches in LDAP regex #47

Open dnet opened 6 years ago

dnet commented 6 years ago

The LDAP regex looks like this

((dn|dc|cn|ou|uid|o|c)=[\w\d]*,\s?){2,}

However, we've found minified JS code that happened to use o and c right next to each other in a variable declaration, thus they were delimited by commas.

var r=this.doFooBar(n,i[t]),o=r,c=null,l=[],a=i[t];
//                          ^^^^^^^^^^^---------------- this matched

What would be a good fix? Would removing o and c (but leaving the five others) really harm LDAP exception detection that much?

augustd commented 6 years ago

It is a tough call. The regex is already pretty specific, so making changes could create a false negative situation.

It seems like the issues you have reported so far (this and #45) have come on .js files. Maybe we should really be looking at a way to specify the types of files (either MIME type or extension) that should be scanned, or lowering the confidence of results when they appear on what should be a static file.

dnet commented 6 years ago

That's a great idea, methods [getInferredMimeType()](https://portswigger.net/burp/extender/api/burp/IResponseInfo.html#getInferredMimeType()) and [getStatedMimeType()](https://portswigger.net/burp/extender/api/burp/IResponseInfo.html#getStatedMimeType()) of the class IResponseInfo could be used for getting the MIME type of the response. Sometimes these JS monsters are generated dynamically, so file extension is non-existent in the request, however, it could still be useful, method [getURL](https://portswigger.net/burp/extender/api/burp/IRequestInfo.html#getUrl()) of the class IRequestInfo is a good way to get that. Maybe with a blacklist approach (like ignore this rule if MIME type or extension suggests JS) we could minimize false negatives.

What do you think? Should I implement this and submit a pull request, or do you prefer to tackle it?

augustd commented 6 years ago

I'd prefer to see the confidence rating bumped down by one (e.g. Firm -> Tentative) rather than having the rule be completely skipped. As you say, sometimes these files are generated dynamically, and that could throw errors.

It will be a while before I have time to do this so by all means send a pull request!

dnet commented 6 years ago

I'd prefer to see the confidence rating bumped down by one (e.g. Firm -> Tentative) rather than having the rule be completely skipped.

I just had the same thought ~15 minutes after posting my reply. :)