augustd
commented
6 years ago Wow those are good ones. I've updated the unit tests to include checks for false positives, and changed the JDK and JSF patterns to require a word boundary at start.
Closed Sjord closed 6 years ago
augustd
commented
6 years ago Wow those are good ones. I've updated the unit tests to include checks for false positives, and changed the JDK and JSF patterns to require a word boundary at start.
augustd
commented
6 years ago If you find other false positives, feel free to add them to /src/test/resources/burp/falsePositives.txt
The application I am testing exports base-64 encoded data, like this:
The plugin incorrectly reports the server uses Java Server Faces 5 because JSF/5 exists in this data.
Somewhere else, I get a session cookie with a value like this:
The version plugin reports this as JDK 8, because it contains
jdk8.Do you have any ideas to reduce the number of false positives? Should the short regexes be modified to match word boundaries?