Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Site Map Overwriting Responses on Case-Sensitive Website

n0rthw4rd | Last updated: Apr 29, 2024 12:45PM UTC

Hello, Burp Suite Professional v2024.3.1.3 appears to be overwriting page responses within the sitemap, rather than creating new entries, on case-sensitive websites. I am uncertain when this behaviour started, it was also present in the previous version. Example: When accessing an endpoint, "/Buyer/Main", the application responds with a 302. When accessing "/Buyer/main", the application responds with a 404. Expected behaviour: 1. Burp creates a sitemap entry for "/Buyer/Main" with a 302 response. 2. Burp creates an additional sitemap entry for "Buyer/main" with a 404 response. Actual behaviour: 1. Burp creates a sitemap entry for "/Buyer/Main" with a 302 response. 2. A new entry for "/Buyer/main" is NOT created. Burp overwrites the endpoint's existing "/Buyer/Main" 302 response with the newly received 404, erasing the previous response. The screenshots below demonstrate case and response discrepancies in the sitemap tab. https://imgur.com/a/XCnNkGG

Hannah, PortSwigger Agent | Last updated: Apr 30, 2024 10:53AM UTC

Hi Thank you for raising this. As part of its consolidation behavior, Burp matches requests and consolidates them. Unfortunately, this consolidation is not case sensitive. We've added your +1 to our bug report for this behavior. Is this an issue that you commonly encounter, or is this the first site where you have encountered this issue?

n0rthw4rd | Last updated: Apr 30, 2024 02:58PM UTC

Unfortunately I have no idea how many times this has taken place. Obviously most sites don't mix case sensitivities, but hosts with complex endpoint routing or proxying are more likely to cause this to happen. I'm willing to bet this isn't the first time for me, though it is the first time I've actually noticed, because an interesting response was overwritten.

Hannah, PortSwigger Agent | Last updated: May 01, 2024 10:00AM UTC

Thanks for that information. We've added this to the ongoing bug report to help us prioritize this ticket better in the future. Unfortunately, we are not able to provide a timeframe for fixing this issue at the moment, but we are tracking the number of people impacted by it and using that to guide us in our prioritization. If there's anything else we can help with, then please let us know.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.