Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Very simple file traversal found manually in repeater, but nothing in Burp Dashboard or Issues.

Jean-Sebastien | Last updated: Sep 28, 2022 11:20AM UTC

Just wondering what I might be doing wrong. Last week, doing a pentest on a business webapp & API and burp found a classic traversal -> ../../../../../../etc/passwd. I manually test the finding on the concerned API, and yes, all is good; the finding is confirmed and documented with our team. Perfect. A few days later, a team member asks me to redo this finding live with him (learning path & understanding). As I go in to recreate the situation, Burp finds nothing wrong with the same API & endpoint. Wondering what's going on, I simply go in repeater and go in manually. At that point, the original "attack" on the API works and the API still responds in the same way -> passwd file (and many more, bashrc, etc.) is indeed found in the response. But nothing is "officially" reported in Burp. Question: What could be causing this situation? Concern: if this is the case, I'm a bit concerned about burp "missing" key findings from scan to scan on similar assets; especially when they are extremely simple. Setup: running latest and greatest version of Burp at time of writing this post, a few basic extensions, Windows10 Ent, integrated burp browser; nothing funky really. Thanks.

Liam, PortSwigger Agent | Last updated: Sep 28, 2022 12:05PM UTC

Hi Jean-Sebastien, thanks for your message. Did you repeat the test in a new project file?

Jean-Sebastien | Last updated: Sep 29, 2022 04:13PM UTC

Yes it was. A fresh start. Ran a full scan in "deep" mode with all "checks" on.

Liam, PortSwigger Agent | Last updated: Sep 30, 2022 09:58AM UTC

Would it be possible to provide the request and response from Repeater that demonstrates the issue? Could we ask how you are triggering the scan? Is it possible that the crawl is not locating the vulnerable API endpoint?

Jean-Sebastien | Last updated: Sep 30, 2022 10:41AM UTC

1 - Possible, but Repeater && Intruder worked perfectly... My concern is mainly on the "generic scan" of the endpoint working perfectly the first time, but not in our subsequent scans... 2 - I always start scans using the right-clicking the specific endpoint/object I want... "Random" webapp scans are most usually too long/heavy/vast for our needs. Note : locating the vulnerable API endpoint? Maybe there's something there. But then again, still surprised of these results as we pinpointed the proper endpoint for our scan. And more than once. But as always, the manual scan was right on point and the result was confirmed this way... Maybe this could be a cache challenge, LB or WAF of some sort impacting the generic scan... It’s so hard these days knowing what stands in front of an app, LMAO.

Liam, PortSwigger Agent | Last updated: Sep 30, 2022 11:39AM UTC

Thanks for the additional information. Is there a publicly available version of the application we could test remotely?

Jean-Sebastien | Last updated: Oct 04, 2022 10:16AM UTC

I would love to share, but this is a SecurID controlled web app. Thanks for the support and quick comeback.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.