The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Incorrect path reported in target sitemap

Petr | Last updated: Sep 04, 2024 12:54PM UTC

Hello, I'm testing a website that uses Japanese characters in URL path and I've noticed that in some cases the discovered paths are incorrectly logged in the target sitemap in Burp. Steps to reproduce: 1) setup a webserver with a page that contains link to some resource in directory which name is in hiragana (other non-ascii characters are probably problematic too), for example '<link rel="stylesheet" href="あ/style.css" />': # mkdir www # echo '<!DOCTYPE html><html lang="ja-JP"><head><meta charset="utf-8"><link rel="stylesheet" href="あ/style.css" /></head><body>test</body></html>' > www/index.html # docker run --rm -v ./www:/usr/share/nginx/html:ro -p 5000:80 -d nginx 2) browse through Burp to the created webpage (http://127.0.0.1:5000) 3) open Target -> Sitemap and update filter to show all 4) the sitemap contains following URLs: http://127.0.0.1:5000/ http://127.0.0.1:5000/あ -- incorrect http://127.0.0.1:5000/あ/a.css -- incorrect http://127.0.0.1:5000/%E3%81%82 -- correct http://127.0.0.1:5000/%E3%81%82/a.css -- correct http://127.0.0.1:5000/a.css http://127.0.0.1:5000/favicon.ico --------------------------------------------------------------------------------------------------------- SYSTEM PROPERTIES --------------------------------------------------------------------------------------------------------- awt.dnd.drag.threshold 15 com.sun.net.ssl.requireCloseNotify false exe4j.moduleName *****/BurpSuitePro/BurpSuitePro file.encoding UTF-8 file.separator / flatlaf.uiScale.enabled false install4j.appDir *****/BurpSuitePro/ install4j.exeDir *****/BurpSuitePro/ install4j.jvmDir *****/BurpSuitePro/jre install4j.launcherId 70 install4j.swt false java.class.path *****/BurpSuitePro/.install4j/i4jruntime.jar:*****/BurpSuitePro/.install4j/launcherccf7dac9.jar:*****/BurpSuitePro/burpsuite_pro.jar java.class.version 65.0 java.home *****/BurpSuitePro/jre java.io.tmpdir /tmp java.library.path /usr/java/packages/lib:/usr/lib64:/lib64:/lib:/usr/lib java.net.useSystemProxies true java.runtime.name OpenJDK Runtime Environment java.runtime.version 21.0.4+7-LTS java.specification.name Java Platform API Specification java.specification.vendor Oracle Corporation java.specification.version 21 java.vendor Eclipse Adoptium java.vendor.url https://adoptium.net/ java.vendor.url.bug https://github.com/adoptium/adoptium-support/issues java.vendor.version Temurin-21.0.4+7 java.version 21.0.4 java.version.date 2024-07-16 java.vm.compressedOopsMode Zero based java.vm.info mixed mode java.vm.name OpenJDK 64-Bit Server VM java.vm.specification.name Java Virtual Machine Specification java.vm.specification.vendor Oracle Corporation java.vm.specification.version 21 java.vm.vendor Eclipse Adoptium java.vm.version 21.0.4+7-LTS jdk.debug release jdk.tls.allowUnsafeServerCertChange true jdk.tls.maxCertificateChainLength 1337 native.encoding UTF-8 org.bouncycastle.jsse.client.dh.minimumPrimeBits 1024 org.bouncycastle.jsse.client.dh.unrestrictedGroups true os.arch amd64 os.name Linux os.version 6.8.0-41-generic path.separator : python.console.encoding UTF-8 python.options.caseok false python.security.respectJavaAccessibility true stderr.encoding UTF-8 stdout.encoding UTF-8 sun.arch.data.model 64 sun.awt.enableExtraMouseButtons true sun.boot.library.path *****/BurpSuitePro/jre/lib sun.cpu.endian little sun.io.unicode.encoding UnicodeLittle sun.java.command install4j.burp.StartBurp sun.java.launcher SUN_STANDARD sun.jnu.encoding UTF-8 sun.management.compiler HotSpot 64-Bit Tiered Compilers user.country CZ user.dir *****/BurpSuitePro user.home ***** user.language cs user.name ***** user.timezone Europe/Prague --------------------------------------------------------------------------------------------------------- SYSTEM RESOURCES --------------------------------------------------------------------------------------------------------- Number of processors 4 Total JVM memory 736 MiB Max JVM memory 7.75 GiB Free JVM memory 343.75 MiB Total physical memory 15.5 GiB Free physical memory 746.07 MiB Total swap 2 GiB Free swap 1.99 GiB --------------------------------------------------------------------------------------------------------- BURP PROPERTIES --------------------------------------------------------------------------------------------------------- Burp Version 2024.7.5 Build Number 31789 Product Name Burp Suite Professional Update Channel Stable Burp Browser [version=127.0.6533.99, installationPath=*****/BurpSuitePro/burpbrowser/127.0.6533.99] Code source *****/BurpSuitePro/burpsuite_pro.jar Debug ID dzmupgq7l3ab5lpqyoli:e0zo JAR type Installer currenttimemillis 1725452616628 nanotime 21112900464511 superuser false --------------------------------------------------------------------------------------------------------- PROJECT PROPERTIES --------------------------------------------------------------------------------------------------------- Project type temporary --------------------------------------------------------------------------------------------------------- EXTENSIONS --------------------------------------------------------------------------------------------------------- Montoya build number 20240705000031789 Decoder Improved Extension type: Java, Extension state listeners: 1, Context menu providers: 1, Suite tabs: 1 Param Miner Extension type: Java Stepper Extension type: Java Authentication Token Obtain and Replace Extension type: Java AuthMatrix Extension type: Python, Method: registerExtenderCallbacks, Context menu providers: 1, Suite tabs: 1 Add Custom Header Extension type: Java Autorize Extension type: Python Custom Parameter Handler Extension type: Python CO2 Extension type: Java GraphQL Raider Extension type: Java HackBar, Payload Bucket Extension type: Java HTTP Request Smuggler Extension type: Java Hunt Scanner Extension type: Java InQL - GraphQL Scanner Extension type: Java Intruder File Payload Generator Extension type: Java Custom Extension type: Python OpenAPI Parser Extension type: Java Taborator Extension type: Java Upload Scanner Extension type: Python UPnP Hunter Extension type: Python WS Security Extension type: Java JSON Web Token Attacker Extension type: Java JSON Web Tokens Extension type: Java Turbo Intruder Extension type: Java Active Scan++ Extension type: Python AWS Security Checks Extension type: Python CSP-Bypass Extension type: Python CSRF Scanner Extension type: Java Detect Dynamic JS Extension type: Python Discover Reverse Tabnabbing Extension type: Python ExifTool Scanner Extension type: Java HTML5 Auditor Extension type: Java HTTPoxy Scanner Extension type: Java iRule Detector Extension type: Python JSON Decoder Extension type: Python, Method: registerExtenderCallbacks, Http request editor providers: 1, Http response editor providers: 1, Context menu providers: 1 .NET Beautifier Extension type: Java J2EEScan Extension type: Java Java Deserialization Scanner Extension type: Java Custom Extension type: Java NGINX Alias Traversal Extension type: Python NTLM Challenge Decoder Extension type: Java PHP Object Injection Check Extension type: Java Retire.js Extension type: Java Software Version Reporter Extension type: Java Software Vulnerability Scanner Extension type: Java ViewState Editor Extension type: Java SQLiPy Sqlmap Integration Extension type: Python Custom Extension type: Java Custom Extension type: Java Log4Shell Scanner Extension type: Java WordPress Scanner Extension type: Python Custom Extension type: Python Decompressor Extension type: Java Kerberos Authentication Extension type: Java Custom Extension type: Python SignSaboteur, Web Token Signer Extension type: Java, Extension state listeners: 1, Proxy request handlers: 1, Proxy response handlers: 1, Proxy WebSocket creation handlers: 1, Http request editor providers: 1, Http response editor providers: 1, Suite tabs: 1, Scanner checks: 1

Michelle, PortSwigger Agent | Last updated: Sep 05, 2024 10:24AM UTC