Burp Suite User Forum

Login to post

Backup file false positives

Jon | Last updated: Mar 16, 2020 10:10PM UTC

I am getting many, many instances of the "Backup file" issue type. The issue is that the scanner makes a request that is a variant of a legitimate request, for example instead of GET /users/sign_in.json, it will call GET /users/sign_in.json_backup. There are cases where this kind of call succeeds (result code 200) and fetches a valid document, although even in these cases it is not a different document than the unmodified URL would fetch. I would consider that a possible bug in request handling, but not necessarily a vulnerability. In addition to this, though, the scanner appears to report a "Backup file" issue if the request to the modified URL returns *any* text, even if the associated status code is an error such as 404 or 500. In my case, all of the latter class of issue reports are false positives. The application is just returning an error message or error page accompanied by the error status code, and there is no sensitive information in the response. It seems to me that the triggering of this issue report could be made smarter/less sensitive, and so less apt to result in false positives. For example, not reporting an issue if the status code is an error.

Liam, PortSwigger Agent | Last updated: Mar 17, 2020 10:24AM UTC

Jon, would it be possible to send the full issue detail and the request and response demonstrating this issue to support@portswigger.net?

Karthika | Last updated: Nov 17, 2020 09:08PM UTC

I am facing the similar false positive issues. Please let know, if there was a resolution for this.

Michelle, PortSwigger Agent | Last updated: Nov 18, 2020 09:27AM UTC

Hi Would you be happy to share some examples of the full issue details and the requests and responses so we can take a closer look, please? If so, could you send them over to support@portswigger.net. Also, can you confirm which version of Burp you are using?

You need to Log in to post a reply. Or register here, for free.