Burp Suite User Forum

Login to post

BurpSuite Pro not finding Type Index 0x00500200 or 0x00500600 when present

Lochinvar | Last updated: Apr 06, 2021 09:04PM UTC

We have done multiple passive scans of a site and are not getting any issue results, even though issues are present in the target URL responses, in BurpSuitePro for * TLS cookie without secure flag set Medium 0x00500200 * Cookie without HttpOnly flag set Low 0x00500600 We are configured for passive scanning/auditing. The Phase 1, Phase 2 scans are blue and filled in. We do a post visual inspection of request/response for other reported issues, trust but verify, of the findings and can see that the Set-Cookie response values are not httpOnly nor secure attributed. Why are the Type Indexes not creating Medium/Low issues in the scan results? Burp Version 2021.3.1 Build Number 6584

Hannah, PortSwigger Agent | Last updated: Apr 07, 2021 08:45AM UTC

Hi

Could you tell me where you are looking for your found issues?

Are you looking:
  • in "Scan task > View details > Issue activity"?
  • in "Dashboard > Issue activity"?
  • in "Target > Site map > Issues"?

Is there a difference between these different locations?

Could you also tell me if those two issue types aren't being reported at all, or if they are not being reported for a specific URL?

Lochinvar | Last updated: Apr 07, 2021 04:26PM UTC

We looked in * "Scan task > View details > Issue activity" * "Dashboard > Issue activity" The Target > SiteMap > Issues has the items in the list, but that appears to be a "history" for those target URIs as we have resolved some of them already and have not purged the list. Multiple URLs as every request has the issue from the start of the scan to the end as the first request introduces the cookie and we have it in every response. The expectation is that the Task's, Scan Task/View Details/Issue Activity list and the Dashboard/Issue Activity List for the Tasks present would show findings based on that Task's execution. Is that not the case? Is our expectation incorrect and we need to purge the Target/Site Map/Issues history from Task to Task? Is it ignoring previous findings even though we told it to do a Passive Scan? Regards

Hannah, PortSwigger Agent | Last updated: Apr 08, 2021 04:34PM UTC

The "Dashboard > Issue activity" contains a historical record of all found issues - these can't be removed from this panel.

If you have run previous scans against your site in the same project file, Burp will not rereport already found issues.

Could you try opening a new project file, or temporary project file and run a scan against your site in there?

If you are interested in repeat scans and tracking vulnerability trends over time, have you checked out our Enterprise edition? We offer a free trial on our website, so you can try it out to see if it would fit your use case.

Lochinvar | Last updated: Apr 08, 2021 08:59PM UTC

Hannah, Anticipating that this was the case and the day cycle in responses, we already found this out. We created a new project and did a passive only scan and audit and found the issues that were being hid by the previous scans in the same project file. Thanks.

Lochinvar | Last updated: Apr 08, 2021 08:59PM UTC

This bug report can be closed.

Lochinvar | Last updated: Apr 08, 2021 08:59PM UTC

This bug report can be closed.

Hannah, PortSwigger Agent | Last updated: Apr 09, 2021 09:02AM UTC

I'm glad you resolved the issue. If there's anything else we can help with then please let us know!

You need to Log in to post a reply. Or register here, for free.