Burp Suite User Forum

Create new post

Issue Discovery - URIs with creds

Dominic | Last updated: Nov 29, 2023 11:35AM UTC

Could an auto-detect rule be added to detect creds in URI strings? A naive but performant rule could be: \b((?<proto>\w+)://(?<userpass>\w+:\w+)@(?<domainPath>[\w\.:/]+) or simply: \b\w+://\w+:\w+@[\w\.:/]+ This is useful for identifying SSRF vectors, dynamically configured connected systems, and use of uncommon protocols like AMQP. This is of most use to desktop/mobile proxying moreso than web apps. Many thanks! DomZ

Michelle, PortSwigger Agent | Last updated: Nov 29, 2023 02:15PM UTC

Hi Thanks for getting in touch. Can I clarify what you mean by an auto-detect rule? Are you thinking of a passive scan check that would generate an issue when credentials are detected in a URI string?

Dominic | Last updated: Nov 29, 2023 09:56PM UTC

Hey, thanks for getting back to me. Yes, a passive scan check. Sorry, I was referring to the tab group heading. Just to be certain, it would appear in the listbox on the right of the Dashboard that auto-populates with items such as "Email disclosure","Clickjacking...", "Cookies Not Secure" etc. URI string are so common that it could slow Burp Suite down scanning all of them. Hence why I tried to provide the minimum usable version to balance accuracy with performance.

Michelle, PortSwigger Agent | Last updated: Nov 30, 2023 11:39AM UTC

Hi Have you taken a look at BChecks? You could create a BCheck to perform a custom passive scan: https://portswigger.net/burp/documentation/desktop/automated-scanning/bchecks/creating Please let me know if you have any questions.

Dominic | Last updated: Dec 11, 2023 09:45AM UTC

Hi Michelle, just to confirm this module absolutely helped address my issue. For posterity, and for wider community's comsumption, here is the rule I developed: ``` metadata: language: v1-beta name: "URI credentials disclosed in Response." description: "Looks in URIs with credentials." tags: "passive" author: "Dom Zukiewicz" given response then if {latest.response} matches "\b\w+://\w+:\w+@(\w+://)?[^/?#]+\b" then report issue: severity: high confidence: firm detail: "A username:password pattern was detected inside a URI string. The response may disclose credentials that provide authenticated access to another resource." remediation: "Use HTTP Headers Authorization to prevent disclosure of credentials in URI strings, or use HTTP methods that provide the credentials in the body of the request." end if ``` Many thanks!

Michelle, PortSwigger Agent | Last updated: Dec 12, 2023 10:51AM UTC

I'm glad that helped. Thanks for sharing this :) If you're interested in sharing it further, we do have a repository on GitHub to help allow collaboration across the community: https://github.com/PortSwigger/BChecks

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.