Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Query Parameter in SSL Request, where is this?

Albert | Last updated: Jul 06, 2015 05:29PM UTC

I am validating issues which were previously found. In the URL, the following information is available: GET /cleaned/servlet/ControllerServlet?commandLink=AppPriceReportList.jsp HTTP/1.1 Since the connection is via SSL, I would have expected that Burp would have flagged this as an issue. What happened?

PortSwigger Agent | Last updated: Jul 07, 2015 08:14AM UTC

Please can you describe exactly what the security vulnerability is that you believe is present in the application's behavior, and we'll be able to determine whether Burp should have reported it?

Burp User | Last updated: Jul 07, 2015 01:55PM UTC

The real issue at hand here is two fold. Here is the original Request: GET /cleaned/servlet/ControllerServlet?commandLink=AppBillingHistory.jsp HTTP/1.1 Given that the commandLink parameter is exposed, and is also a controlling factor in the application, it identifies different functions within the application, which may or may not be available to the authenticated user. The Title of this question is actually the vulnerability which was uncovered via AppScan. Thank you.

PortSwigger Agent | Last updated: Jul 07, 2015 02:50PM UTC

Thanks for the follow-up. It's certainly true that there is a parameter in the request that controls server-side behavior, but this is common. In fact, it is how the majority of application functions are implemented, so on its own it does not constitute a vulnerability. The use of SSL or otherwise is not relevant to that question. It is possible that the application contains access control vulnerabilities, and that users can gain access to unauthorized functions or data by modifying parts of requests. Burp Scanner doesn't automatically test for access control issues, and finding these bugs generally requires human input, to understand the purpose of each function and whether it ought to be access controlled. It's not clear what issue your other scanner was reporting. It's possible it was trying to find access control issues, but the description suggests otherwise. We would not regard the appearance of request parameters as being a reportable issue.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.