Burp Suite User Forum

Create new post

XML and XPath false positives in scanner module

Enos | Last updated: Apr 14, 2015 05:47PM UTC

The scanner module reports XML and XPath false positives when it finds certain strings (e.g. xmlschema, ajaxpath) in the the response of automated scans, but it does not consider when those same strings were already present in the original response to unaltered requests.

PortSwigger Agent | Last updated: Apr 15, 2015 09:00AM UTC

Thanks for this report. Actually, Burp does check whether the XML-related strings that it checks for appear in the original base response, and doesn't report issues if they do. If you are seeing a case where the same XML-related string appears in the base response and the issue response, please let us have more details. You can email support@portswigger.net with any response extracts if they are sensitive. Thanks.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.