Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum will be discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Centre. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTRE DISCORD

Create new post

nonce parameter in URL considered to be a security threat by Burp Suite

Aasmeet | Last updated: May 28, 2020 08:09AM UTC

We use the Burp suite tool for security testing of our applications. Our applications are built using .net framework. We use Identity Server 4 for single sign on implementation which in turn uses the OpenId protocol for (authentication + OAuth2). After performing a PEN test for application login, a security vulnerability was reported by Burp Suite tool. It was for the existence of "nonce" in the query string. Please find the exact issue reported by burp suite pasted at the end. We checked to find that nonce is a cryptographically random string that the application adds to the initial request and Auth0 includes inside the ID Token, used to prevent token replay attacks. Here are a few links that explain this: https://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthRequest https://auth0.com/docs/api-auth/tutorials/nonce We also reached out to identity server 4 support team to confirm this, they also replied that 'Nonce is a required parameter in the OpenID Connect protocol' and provided the following documentation link: https://openid.net/specs/openid-connect-core-1_0.html Thus, since nonce appearing in the query parameter is not an issue, please let us know if this is an issue with the Burp Suite tool and how to get correct results. This is very important to us because we present this result to our customers as part of our security testing. ---- Burp suite result: Medium Severity, Firm Confidence issue reported for 3 URLs /connect/authorize /connect/authorize /connect/authorize/callback Issue background Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker. Issue remediation Applications should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method. Vulnerability classification: CWE-200: Information Exposure CWE-384: Session Fixation CWE-598: Information Exposure Through Query Strings in GET Request Issue detail The URL in the request appears to contain a session token within the query string: https://<our site name>/connect/authorize?client_id=myclient.id&redirect_uri=https%3A%2F%2F<our site name>%2Fsignin-oidc&response_mode=form_post&response_type=code%20id_token&scope=openid%20api1%20myclient.webapi%20offline_access&state=OpenIdConnect.AuthenticationProperties%3D1XhRev_561hsOxEaX5CQKlgGyoU_WQW0y9BPJnjTfHe1y0bAu4GW1Pl8pjur-bI6ypcpWIXk1pIGQYSOuLDqizK4nJUzGKHAfZPsxCr2mJ1RyGGqervC0A23YeCFXa561DavmqLvWGVyrwqOZ6Df34XbUhqzACB6KrmkwNfrFWV3bIYfd2qCUfrpGpYN-xHfYmJDAMoBqMLsdtBA6dXy84GyR8IBZr4bjuu46pdihrk8yJ2Hijbe9uLHcjNr1OyWLVJDawwjGwPbrcauRBxfdw&nonce=637255937269759316.MjJlNzc0MzAtMTM2My00Yzc5LTlhM2YtMWI4NTZlMjc3NDYxY2U1NWE4MDUtOGRlOC00ZDU4LWFkMDYtNDM2M2YxZjZmM2Mx&x-client-SKU=ID_NET451&x-client-ver=5.2.1.0 ----

Liam, PortSwigger Agent | Last updated: May 28, 2020 08:53AM UTC

Issues and ratings are based on the experience of the security researchers in the Burp team, based on seeing the vulnerabilities in real applications. The actual impact of any issue will always depend on the nature of the application functionality and the business context in which it appears. Hence, issues should always be manually reviewed based on the tester's knowledge of the application. If you are happy that this finding is not a security issue for your customers, you can mark this as a false positive. Please let us know if you need any further assistance.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.