ilmila
commented
2 years ago Thank you for your ticket. I ask you:
- In the first image you applied some filters (ex.: hide the 40x response). If the vulnerability is detected in a 40x response the issue is hidden by that filter. Could you please remove all filters in that window and verify again if the correct number of issues are included?
- I would like to have some more information regarding: Burp version used, the output of the j2eescan plugin (error and output)
AkikoOrenji
I noticed a few findings on my assessment were 'missing' and working with portswigger we narrowed it down to J2EEScan finding similar issues in different injection points in the same application. It was confirmed with Logger++ that J2EEScan doesn't roll up the finding in a similar manner to other extensions.
In the the attached screen shot you can see that NoSQL Injection Detected (from a different extension) rolls up mutiliple findings in different requests and injection points.
Even though this project has multiple findings for the same XXE in different locations i only see one finding. This makes it hard to validate the other findings (apart from the first ) as the Request and Response aren't logged anywhere (unless you are using additional logging which you need to go search through the find the other effected injection points). This issue also presents itself as an inconsistency throughout the UI (especially when using mutiple Audit tasks) as additional findings are shown in some areas but not others e.g.
e.g. Details page of audit screen shows 0 high severity issues:
Audit Items page shows 3 high severity issues (i confirmed these were J2EEScan issues)
Issue activity page shows no issue:
Issue activity summary page shows only one High severity issue for a different task.
Is this just me or is this a possible improvement that could be made to how mutliple issues are combined in J2EEScan
Let me know if you need any other info