Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Issue Discovery - URIs with creds

Dominic | Last updated: Nov 29, 2023 11:35AM UTC

Could an auto-detect rule be added to detect creds in URI strings? A naive but performant rule could be: \b((?<proto>\w+)://(?<userpass>\w+:\w+)@(?<domainPath>[\w\.:/]+) or simply: \b\w+://\w+:\w+@[\w\.:/]+ This is useful for identifying SSRF vectors, dynamically configured connected systems, and use of uncommon protocols like AMQP. This is of most use to desktop/mobile proxying moreso than web apps. Many thanks! DomZ

Michelle, PortSwigger Agent | Last updated: Nov 29, 2023 02:15PM UTC

Hi Thanks for getting in touch. Can I clarify what you mean by an auto-detect rule? Are you thinking of a passive scan check that would generate an issue when credentials are detected in a URI string?

Dominic | Last updated: Nov 29, 2023 09:56PM UTC

Hey, thanks for getting back to me. Yes, a passive scan check. Sorry, I was referring to the tab group heading. Just to be certain, it would appear in the listbox on the right of the Dashboard that auto-populates with items such as "Email disclosure","Clickjacking...", "Cookies Not Secure" etc. URI string are so common that it could slow Burp Suite down scanning all of them. Hence why I tried to provide the minimum usable version to balance accuracy with performance.

Michelle, PortSwigger Agent | Last updated: Nov 30, 2023 11:39AM UTC

Hi Have you taken a look at BChecks? You could create a BCheck to perform a custom passive scan: https://portswigger.net/burp/documentation/desktop/automated-scanning/bchecks/creating Please let me know if you have any questions.

Dominic | Last updated: Dec 11, 2023 09:45AM UTC

Hi Michelle, just to confirm this module absolutely helped address my issue. For posterity, and for wider community's comsumption, here is the rule I developed: ``` metadata: language: v1-beta name: "URI credentials disclosed in Response." description: "Looks in URIs with credentials." tags: "passive" author: "Dom Zukiewicz" given response then if {latest.response} matches "\b\w+://\w+:\w+@(\w+://)?[^/?#]+\b" then report issue: severity: high confidence: firm detail: "A username:password pattern was detected inside a URI string. The response may disclose credentials that provide authenticated access to another resource." remediation: "Use HTTP Headers Authorization to prevent disclosure of credentials in URI strings, or use HTTP methods that provide the credentials in the body of the request." end if ``` Many thanks!

Michelle, PortSwigger Agent | Last updated: Dec 12, 2023 10:51AM UTC