Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Backup file false positives

Jon | Last updated: Mar 16, 2020 10:10PM UTC

I am getting many, many instances of the "Backup file" issue type. The issue is that the scanner makes a request that is a variant of a legitimate request, for example instead of GET /users/sign_in.json, it will call GET /users/sign_in.json_backup. There are cases where this kind of call succeeds (result code 200) and fetches a valid document, although even in these cases it is not a different document than the unmodified URL would fetch. I would consider that a possible bug in request handling, but not necessarily a vulnerability. In addition to this, though, the scanner appears to report a "Backup file" issue if the request to the modified URL returns *any* text, even if the associated status code is an error such as 404 or 500. In my case, all of the latter class of issue reports are false positives. The application is just returning an error message or error page accompanied by the error status code, and there is no sensitive information in the response. It seems to me that the triggering of this issue report could be made smarter/less sensitive, and so less apt to result in false positives. For example, not reporting an issue if the status code is an error.

Liam, PortSwigger Agent | Last updated: Mar 17, 2020 10:24AM UTC

Jon, would it be possible to send the full issue detail and the request and response demonstrating this issue to support@portswigger.net?

Karthika | Last updated: Nov 17, 2020 09:08PM UTC

I am facing the similar false positive issues. Please let know, if there was a resolution for this.

Michelle, PortSwigger Agent | Last updated: Nov 18, 2020 09:27AM UTC

Hi Would you be happy to share some examples of the full issue details and the requests and responses so we can take a closer look, please? If so, could you send them over to support@portswigger.net. Also, can you confirm which version of Burp you are using?

Jose | Last updated: Jan 12, 2021 02:53PM UTC

I'm also seeing this, especially when scanning single-page applications with browser-powered scanning. Version: 2020.12 Build: 5930 Scanner version: 2020.12.1

Jose | Last updated: Jan 12, 2021 02:53PM UTC

I'm also seeing this, especially when scanning single-page applications with browser-powered scanning. Version: 2020.12 Build: 5930 Scanner version: 2020.12.1

Jose | Last updated: Jan 12, 2021 02:53PM UTC

apologies, didn't mean to post twice.

Michelle, PortSwigger Agent | Last updated: Jan 12, 2021 03:13PM UTC