The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Xpath injection issue because of the the word "xpath" in the response

Yogesh | Last updated: Mar 31, 2022 09:19AM UTC

The string 'XPath' happens to appear in our HTML response as a part of the Google analytics payload and that section has nothing to do with XML or XPATH. In fact, we are returning the word "XPath" explicitly in the response). We don't use XML or XPath for data storage (although we do use XMLs to hold store configurations). Request: GET /?store=001 HTTP/1.1 Host: abc.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Upgrade-Insecure-Requests: 1 Accept-Encoding: gzip, deflate Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Connection: close Cache-Control: max-age=0 Referer: https://example.com/' <---- See the quote added here Response: HTTP/1.1 200 OK Server: nginx Date: Wed, 23 Mar 2022 05:52:37 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 166794 Connection: close Vary: Accept-Encoding Set-Cookie: PHPSESSID=57mljo8alveaffd16f066mkgnv; expires=Wed, 23-Mar-2022 06:52:36 GMT; Max-Age=3600; path=/; domain=m2uat.surplusfurniture.com; secure; HttpOnly; SameSite=Lax Pragma: no-cache Cache-Control: max-age=0, must-revalidate, no-cache, no-store Expires: Tue, 23 Mar 2021 05:52:36 GMT X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN vStore: abc.com X-Host: abc.com Accept-Ranges: bytes Access-Control-Allow-Origin: * Snip <script type="application/ld+json">{"@context":"http:\/\/schema.org\/","@type":"WebPage","speakable":{"@type":"SpeakableSpecification","cssSelector":[".cms-content"],"xpath":["\/html\/head\/title"]}}</script> Snip Please note that in the response Snip, the word "XPath" is returned as a part of Google analytics payload. Just looking for reassurance that these are in fact, false positives.

Liam, PortSwigger Agent | Last updated: Mar 31, 2022 12:02PM UTC