BHack Conference

terça-feira, 23 de março de 2021

Burp Suite - Adding Internal Path Disclosure Capabilities

Hi guys, I hope everyone is healthy.

If you work with Burp suite, maybe you noticed Burp cannot identify Internal PATH Disclosure vulnerabilities by default.

I know most of the time, this vulnerability is ranked as Informational or Low. But I decided to write this after using the information acquired due to the internal path leakage to perform a more complex chain attack.

For this reason, the vulnerability was ranked as high due to the overall impact. In other words, I would not be able to create an effective attack chain without this leaked path.

The implementation is quite simple:

Install the extension Burp Bounty (Unfortunately, it is available for Buro Pro only).
On the tab Profiles -> Passive Response Profiles -> Add
Fulfill the fields(Response) and click on Add
Here you add the regex you are looking for. It's possible to add more than one regex. In my case, I created two different profiles, one for Windows issues and another one for Linux.

Following the regex for both cases:

Linux: (?<!\S)(?:/[^/\s>]+)+
Thanks to codeworm for the help with Linux regex.

Windows: ([a-zA-Z]):\\?(\\[a-zA-Z0-9._-].*\s.*+)+\\
For Windows, the regex needs some enhancements.

The new issues:

Now, some extra configuration is required to Burp shows it properly on the Target tab.
Click on the Issue tab and fulfill the fields. The Severy and Confidence must be selected. You are free to select the rating you want. The issue detail is the information that will be displayed on the Target tab.

After you added all the information, click OK and double-check if everything is saved. Sometimes the extension does not save the regex, them you must add it again.

Testing your new issues:

Navigate to: https://owasp.org/www-community/attacks/Full_Path_Disclosure and run a passive scan on this page.

Your Burp should show something like that: