Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Issue report sequence

Jaspreet | Last updated: Feb 07, 2019 02:47PM UTC

Hello support, Can you please help me regarding how burp tool pick the order for issue reporting in html report? I am assuming the order as : ("OS command injection", 1); ("SQL injection", 2); ("SQL injection (second order)", 3); ("ASP.NET tracing enabled", 4); ("File path traversal", 5); ("XML external entity injection", 6); ("LDAP injection", 7); ("XPath injection", 8); ("XML injection", 9); ("ASP.NET debugging enabled", 10); ("HTTP PUT method is enabled", 11); ("Out-of-band resource load (HTTP)", 12); ("File path manipulation", 13); ("PHP code injection", 14); ("Server-side JavaScript code injection", 15); ("Perl code injection", 16); ("Ruby code injection", 17); ("Python code injection", 18); ("Expression Language injection", 19); ("Unidentified code injection", 20); ("Server-side template injection", 21); ("SSI injection", 22); ("Cross-site scripting (stored)", 23); ("Web cache poisoning", 24); ("HTTP response header injection", 25); ("Cross-site scripting (reflected)", 26); ("Client-side template injection", 27); ("Cross-site scripting (DOM-based)", 28); ("Cross-site scripting (reflected DOM-based)", 29); ("Cross-site scripting (stored DOM-based)", 30); ("JavaScript injection (DOM-based)", 31); ("JavaScript injection (reflected DOM-based)", 32); ("JavaScript injection (stored DOM-based)", 33); ("Path-relative style sheet import", 34); ("Client-side SQL injection (DOM-based)", 35); ("Client-side SQL injection (reflected DOM-based)", 36); ("Client-side SQL injection (stored DOM-based)", 37); ("WebSocket hijacking (DOM-based)", 38); ("WebSocket hijacking (reflected DOM-based)", 39); ("WebSocket hijacking (stored DOM-based)", 40); ("Local file path manipulation (DOM-based)", 41); ("Local file path manipulation (reflected DOM-based)", 42); ("Local file path manipulation (stored DOM-based)", 43); ("Client-side XPath injection (DOM-based)", 44); ("Client-side XPath injection (reflected DOM-based)", 45); ("Client-side XPath injection (stored DOM-based)", 46); ("Client-side JSON injection (DOM-based)", 47); ("Client-side JSON injection (reflected DOM-based) ", 48); ("Client-side JSON injection (stored DOM-based)", 49); ("Flash cross-domain policy", 50); ("Silverlight cross-domain policy", 51); ("Cross-origin resource sharing", 52); ("Cross-origin resource sharing: arbitrary origin trusted", 53); ("Cross-origin resource sharing: unencrypted origin trusted", 54); ("Cross-origin resource sharing: all subdomains trusted", 55); ("Cross-site request forgery", 56); ("SMTP header injection", 58); ("Cleartext submission of password", 59); ("External service interaction (DNS)", 60); ("External service interaction (HTTP)", 62); ("External service interaction (SMTP)", 63); ("Referer-dependent response", 64); ("Spoofable client IP address", 65); ("User agent-dependent response", 66); ("Password returned in later response", 67); ("Password submitted using GET method", 68); ("Password returned in URL query string", 69); ("SQL statement in request parameter", 70); ("Cross-domain POST", 71); ("ASP.NET ViewState without MAC enabled", 72); ("XML entity expansion", 73); ("Long redirection response", 74); ("Serialized object in HTTP message", 75); ("Duplicate cookies set", 76); ("Input returned in response (stored)", 77); ("Input returned in response (reflected)", 78); ("Suspicious input transformation (reflected)", 79); ("Suspicious input transformation (stored)", 80); ("Request URL override", 81); ("Open redirection (reflected)", 82); ("Open redirection (stored)", 83); ("Open redirection (DOM-based)", 84); ("Open redirection (reflected DOM-based)", 85); ("Open redirection (stored DOM-based)", 86); ("SSL cookie without secure flag set", 87); ("Cookie scoped to parent domain", 88); ("Cross-domain Referer leakage", 89); ("Cross-domain script include", 90); ("Cookie without HttpOnly flag set", 91); ("Session token in URL", 92); ("Password field with autocomplete enabled", 93); ("Password value set in cookie", 94); ("File upload functionality", 95); ("Frameable response (potential Clickjacking)", 96); ("Browser cross-site scripting filter disabled", 97); ("HTTP TRACE method is enabled", 98); ("Cookie manipulation (DOM-based)", 99); ("Cookie manipulation (reflected DOM-based)", 100); ("Cookie manipulation (stored DOM-based)", 101); ("Ajax request header manipulation (DOM-based)", 102); ("Ajax request header manipulation (reflected DOM-based)", 103); ("Ajax request header manipulation (stored DOM-based)", 104); ("Denial of service (DOM-based)", 105); ("Denial of service (reflected DOM-based)", 106); ("Denial of service (stored DOM-based)", 107); ("HTML5 web message manipulation (DOM-based)", 108); ("HTML5 web message manipulation (reflected DOM-based)", 109); ("HTML5 web message manipulation (stored DOM-based)", 110); and so on Let me know the order. Thanks, Jaspreet Singh

PortSwigger Agent | Last updated: Feb 07, 2019 03:43PM UTC

Yes, it's based on the Burp issue number. You have the option to sort by severity as well.

Burp User | Last updated: Feb 11, 2019 01:58PM UTC

But sometime File path traversal comes after Cross site scripting. Can you please let me know how to find the order and sort by severity. Thanks, Jaspreet Singh

PortSwigger Agent | Last updated: Feb 11, 2019 02:01PM UTC

There are two different path related issues in Burp: File path traversal and File path manipulation. They come in a different order. The distinction is pretty minor though. In the report generation wizard, at the step where you select where the report will be saved, there's an option for "Issue organization" and you can select "By severity"

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.