Burp Suite User Forum

Login to post

Erroneous identification of Cleartext submission CWE-319?

Dave | Last updated: Dec 06, 2019 05:05PM UTC

In a recent execution of a scan, Burp reported cleartext submission of a password, but the evidence in the report is merely the preceding GET request of the form which contains a password type field. The form itself has no "action" attribute and its submission is handled by a javascript which submits the form via HTTPS. Burp is erroneously assigning the url of the page containing the form to the form action. I have no record of form submission in my logs. Is this a bug, in that it is a false positive, or am I misinformed?

Mike, PortSwigger Agent | Last updated: Dec 09, 2019 02:51PM UTC

Hi Dave, Unfortunately, we cannot make a decision for you on whether or not this is a false positive as that is based on your application implementation. However looking at Burp source code, it appears that we look at the form action URL and if it is not HTTPS and contains password fields then we will report this issue. Therefore if you are happy the implementation of your application mitigates this issue then it shouldn't be something to worry about.

You need to Log in to post a reply. Or register here, for free.