False positives

[1lastBr3ath]

"A picture is worth a thousand words", please take a look.

Issues address in screenshots;

1. Duplicate reports
2. Second request also being sent as POST
3. Content-Length ignored
4. Status Code ignored
5. Content-Type ignored

I'm also working on it. If you had used 'inferredMimeType', I don't think it would have processed xml or html contents. Also, ignoring the '<' char if appeared first (as I had done previously), would reduce these false positives to some extent. The second request needs to be GET, ignoring the base request method. Content-length being ignored might be due to improper checking, and duplicate reports, ma be due to difference in parameters.

I'm also working on it, let me know if you have anything.

[luh2]

Well aware of all of them. Just didn't bother me too much yet. About

1: That one was on my list as next thing to implement. Patch coming soon (meaning about 2-3 weeks).

2: Is second on my list as things to implement. I'm not just going to drop POST, but see the other thread about this. If this can be done efficiently with Burp's API, I'm happy :) If the change from POST to GET (shifting the parameters to URL) returns a different answer, this should be a a finding. But not a Detected Dynamic JS, but exactly that behavior and criticality low.

4: There is a Content-Length check somewhere, will have to see why that one it.

5: Status code is addressed in the other comment on the first pull request.

6: Content-Type is totally unreliable. It almost has to be ignored. As example: Yahoo sometimes sends script files as application/json .

[luh2]

1 fixed in 95727826e66962ab5737e06c974a08b7e20a9640

2 is open, but on the ToDo list

4 fixed in 50add829bf97f379c25f74b447d47e1152bcf078

5 fixed in 99599f19136847daa6532d95e9fea9b673ed7532

6 Won't fix for right now.

Closed because too many issues in one. To not lose track #2 is in the ToDo list in the wiki.

[luh2]

2 fixed in 9e2e8047bb1f8391f9a80f41f7d9eb5562434e40