Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All
Documentation

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite
Extensibility

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility
Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Query Parameter in SSL Request, where is this?

Albert Whale Jul 06, 2015 05:29PM UTC

I am validating issues which were previously found. In the URL, the following information is available:

GET /cleaned/servlet/ControllerServlet?commandLink=AppPriceReportList.jsp HTTP/1.1

Since the connection is via SSL, I would have expected that Burp would have flagged this as an issue.

What happened?


Dafydd Stuttard Jul 07, 2015 08:15AM UTC Support Center agent

Please can you describe exactly what the security vulnerability is that you believe is present in the application’s behavior, and we’ll be able to determine whether Burp should have reported it?


Albert WHale Jul 07, 2015 01:55PM UTC
The real issue at hand here is two fold. Here is the original Request:

GET /cleaned/servlet/ControllerServlet?commandLink=AppBillingHistory.jsp HTTP/1.1

Given that the commandLink parameter is exposed, and is also a controlling factor in the application, it identifies different functions within the application, which may or may not be available to the authenticated user.

The Title of this question is actually the vulnerability which was uncovered via AppScan.

Thank you.

Dafydd Stuttard Jul 07, 2015 02:59PM UTC Support Center agent

Thanks for the follow-up.

It’s certainly true that there is a parameter in the request that controls server-side behavior, but this is common. In fact, it is how the majority of application functions are implemented, so on its own it does not constitute a vulnerability. The use of SSL or otherwise is not relevant to that question.

It is possible that the application contains access control vulnerabilities, and that users can gain access to unauthorized functions or data by modifying parts of requests. Burp Scanner doesn’t automatically test for access control issues, and finding these bugs generally requires human input, to understand the purpose of each function and whether it ought to be access controlled.

It’s not clear what issue your other scanner was reporting. It’s possible it was trying to find access control issues, but the description suggests otherwise. We would not regard the appearance of request parameters as being a reportable issue.


Post Your public answer

Your name
Your email address
Answer