Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Erroneous identification of Cleartext submission CWE-319?

Dave Varon Dec 06, 2019 05:05PM UTC

In a recent execution of a scan, Burp reported cleartext submission of a password, but the evidence in the report is merely the preceding GET request of the form which contains a password type field. The form itself has no "action" attribute and its submission is handled by a javascript which submits the form via HTTPS. Burp is erroneously assigning the url of the page containing the form to the form action. I have no record of form submission in my logs. Is this a bug, in that it is a false positive, or am I misinformed?


Mike Eaton Dec 09, 2019 03:09PM UTC Support Center agent

Hi Dave, Unfortunately, we cannot make a decision for you on whether or not this is a false positive as that is based on your application implementation.

However looking at Burp source code, it appears that we look at the form action URL and if it is not HTTPS and contains password fields then we will report this issue. Therefore if you are happy the implementation of your application mitigates this issue then it shouldn’t be something to worry about.


Post Your public answer

Your name
Your email address
Answer