Burp Suite User Forum

Create new post

Version 2023.9.1 and 2023.10.2 does not include <vulnerabilityClassifications> in the xml and html reports generated using sparky

Kamalpreet | Last updated: Sep 19, 2023 12:23PM UTC

Hi team, We upgraded Burp recently to 2023.9.1 and then to 2023.10.2, and found out that these versions are not returning vulnerability Classifications details in the xml and html reports. We have automated the report generation in our java project using the sparky endpoint to generate these reports. We found that the reports generated using Burpsuite UI tool has the vulnerability Classifications details, but we need it to be present in sparky endpoint generated reports as well (both xml and html.) Please find the command and output below: curl -v --location 'http://<burp_vm IP>:<SparkyPort>/sparky/report' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'url=Target Url' --data-urlencode 'format=xml' --data-urlencode 'path=report.xml' Following is the <issue> element details in the generated report: <issue> <serialNumber>xxxxxxxxxxxxxxxxxxx</serialNumber> <type>134217728</type> <name><![CDATA[Cookie without HttpOnly flag set]]></name> <host ip="xxxxxxxx">http://xxxxxxx:xxxx</host> <path><![CDATA[/WebGoat/]]></path> <location><![CDATA[/WebGoat/]]></location> <severity>Low</severity> <confidence>Firm</confidence> <issueBackground><![CDATA[<p>If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure makes certain client-side attacks, such as cross-site scripting, slightly harder to exploit by preventing them from trivially capturing the cookie's value via an injected script.</p>]]></issueBackground> <remediationBackground><![CDATA[<p>There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.</p> <p>You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing. </p>]]></remediationBackground> <issueDetail><![CDATA[The following cookie was issued by the application and does not have the HttpOnly flag set:<ul><li><b>xxxxxxxxxx</b></li></ul>The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.]]></issueDetail> <issueDetailItems> <issueDetailItem><![CDATA[Session: xxxxxxxxxx]]></issueDetailItem> </issueDetailItems> <requestresponse> <request method="GET" base64="true"><![CDATA[xxxxxxxxxx==]]></request> <response base64="true"><![CDATA[xxxxxxxxxxx]]></response> <responseRedirected>false</responseRedirected> </requestresponse> </issue> How can we get the vulnerability classification information using "http://<burp_vm IP>:<SparkyPort>/sparky/report" API endpoint?

Dominyque, PortSwigger Agent | Last updated: Sep 19, 2023 01:15PM UTC

Hi Can you please confirm what 'Sparky' is? A link to more information about it would be helpful.

Kamalpreet | Last updated: Sep 20, 2023 08:46AM UTC

We are using getScanIssues method in IBurpExtenderCallbacks to get the details about security issues detected by Burp (https://portswigger.net/burp/extender/api/burp/iscanissue.html). IScanIssue[] getScanIssues(String urlPrefix); <vulnerabilityClassifications> element is not getting returned for the newer versions.

Dominyque, PortSwigger Agent | Last updated: Sep 20, 2023 12:03PM UTC

Hi Thank you for that information. We will test it here and get back to you as soon as possible. Thank you.

Kamalpreet | Last updated: Sep 26, 2023 05:30AM UTC

Is there an update for this issue?

Dominyque, PortSwigger Agent | Last updated: Sep 26, 2023 01:46PM UTC

Hi Kamalpreet Can you please email support@portswigger.net with a copy of the extension code you are using to achieve this functionality so we can look closely at it?

Dominyque, PortSwigger Agent | Last updated: Sep 27, 2023 10:47AM UTC

Hi I wanted to update the thread for anyone else who may have encountered this issue. We have been able to replicate the issue of the references and vulnerability classifications not appearing in the extension-generated reports. A bug ticket has been created to address this, and I will update the thread when a fix has been released.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.