Burp community forum

Issues not visible if related to 404 resources

Ermak | Last updated: Sep 11, 2015 10:31AM UTC

Hello, the scanner found a XSS in the referer header, and the answer is a custom 404 page with the XSS in the answer. However in the Target tab, the XSS is not visible if "Hide not-found items" is not disabled. Maybe vulnerabilities in the issues tab/window should be always visible... what you think? Thank you

Burp User | Last updated: Sep 11, 2015 10:34AM UTC

Oh, disabling the default option "Hide not-found items" is not enough, I have also to enable the visualization of 4xx requests

Liam, PortSwigger Agent | Last updated: Sep 11, 2015 11:14AM UTC

Hi Ermak Thanks for your message. Have you managed to fully your resolve your issue?

Burp User | Last updated: Sep 11, 2015 11:27AM UTC

An XSS (and probably other vulns), on a 404 resource, is only visible in the issues tab/windows if and only if the filter "Hide not-found items" is disabled and the filter show "4xx requests" is enabled from the GUI. Default filter Target options does not show the vulnerability to the user. I think this is a bug by design.

PortSwigger Agent | Last updated: Sep 11, 2015 11:32AM UTC

Hi Ermak Thanks for your message. It's not a design bug, but a consequence of the default UI settings. We're planning to review the way display filters work to provide more granularity. and we'll look at this as part of that. I agree it would be desirable for this issue to be displayed by default.

You need to Log in to post a reply. Or register here, for free.