Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

collaborator issues

Vytautas Feb 15, 2016 11:25AM UTC

Hi,

I have observed a glitch in collaborator's functionality.

While (selectively) testing the persisten-xss module i have noticed the following payload being used:

'"><svg%2fonload%3d(new(Image)).src%3d'%2f%2f8aj0dogjoqjmx9n62xhgpsgs4jafy7ovfl2bq0\56b.example.com'>


Here the \56 part is odd. it should be a dot. However, it's this weird expression. It seems that the dot symbol (56 in decimal from ascii table), is not properly encoded/decoded.

I did not investigate other modules but i guess it's likely that other modules are affected.

The bug was verified in v1.6.36.

Please let me know (via email) once you have acknowledged/verified the issue.


Dafydd Stuttard Feb 15, 2016 02:08PM UTC Support Center agent

Burp is working as intended.

The \56 is JavaScript encoding for a dot, using Octal notation (not decimal). If the payload is embedded into an HTML document, and the value of the onload attribute is processed as JavaScript, the JS interpreter will treat the \56 as a dot, and so the embedded URL will get processed as we require.

The reason Burp deliberately obfuscates the URL in this way is to reduce the likelihood that other components that process the payload data will see the domain name and perform a DNS lookup of it. Some WAF-like products do this when they see a domain name embedded in a parameter value. Using context-specific obfsucation in this way helps to reduce false positives.


Vytautas Feb 16, 2016 06:58AM UTC
Thank you for your answer.

Post Your public answer

Your name
Your email address
Answer