Burp Suite User Forum

Create new post

How do I manually reproduce ruby code injection in cookie parameters?

Jason | Last updated: Nov 17, 2015 03:45PM UTC

One of the apps I'm testing is coming up with Ruby Code Injection alert. The confidence is listed as Firm. Issue Details: The payload '+sleep(20.to_i)+' was submitted in the foo parameter within the bar cookie. The application took 22015 milliseconds to respond to the request, compared with 15 milliseconds for the original request, indicating that the injected Ruby code caused a time delay. I've tried testing this manually by editing the cookie and refreshing the page but it always loads immediately. I've tried using TamperData to confirm that the cookie is being sent with the payload and it appears to be. I've also tried clearing the cache (minus cookies) and also html encoding the payload to no avail. Am I doing something wrong? Any ideas would be appreciated!

PortSwigger Agent | Last updated: Nov 18, 2015 08:50AM UTC

It sounds like this is probably a false positive if you can't manually reproduce it. Burp tries time delay payloads multiple times, but if the application has varying latency then occasionally the response times will just happen to line up with what Burp is looking for, so the issue gets reported. For this reason, Burp reports this issue as tentative.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.