Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

How can I check if the Infiltrator works properly?

Adrian | Last updated: Oct 05, 2016 01:21PM UTC

Hi there! I patched vulnerable demo Java application via Burp Infiltrator and then run spider + active scan against original web application and patched version. I got two different scan results. The fun fact is that the scanner found more vulnerabilities in non-patched version of the software (including out-of-band requests, SQLi etc.). How can I check that Infiltrator patch works properly (from Burp Suite point of view)? For example in the Acunetix .NET Acusensor I can send some kind of debug headers to the patched web application (ACU_HEADER if I remember correctly) and get the response with ACU_HEADER (then I know that in the deployment Acusensor has been installed correctly). Cheers!

PortSwigger Agent | Last updated: Oct 05, 2016 04:03PM UTC

The easiest way to confirm that the Infiltrator patcher has correctly run is to look for changes in the filesystem where you have run it. In general, you will see changes in any .class or .jar files that are present, and also you will see a file called infiltrator.config appear. We are looking at providing some diagnostic output from the patching process to list out the changes that have been made, which will facilitate verification. Burp Infiltrator only hooks the low-level APIs that are potentially dangerous sinks for user input, and does not change the behavior of the application in any way. To add a custom response header would involve hooking general purpose APIs for request handling; this needs to be done in different ways for different platform technologies and is more likely to introduce errors by changing the behavior of the application (by adding headers). If you scan an application with Burp using the same configuration before and after installing Infiltrator, we would expect to see all of the original issues still being reported, and some additional informational issues relating to inputs reaching Infiltrator API sinks. If you are seeing fewer issues then it is possible that the same scan wasn't correctly replicated, or that installing the Infiltrator has in some way damaged the application so that some application functionality is not working correctly. We would suggest you investigate whether either of these possibilties has occurred.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.