burp-suite-error-message-checks icon indicating copy to clipboard operation
burp-suite-error-message-checks copied to clipboard

Published 20 hours ago verified publisher icon augustd

False positive caused by one character matches in LDAP regex

Open dnet opened this issue 7 years ago • 4 comments

The LDAP regex looks like this

((dn|dc|cn|ou|uid|o|c)=[\w\d]*,\s?){2,}

However, we've found minified JS code that happened to use o and c right next to each other in a variable declaration, thus they were delimited by commas.

var r=this.doFooBar(n,i[t]),o=r,c=null,l=[],a=i[t];
//                          ^^^^^^^^^^^---------------- this matched

What would be a good fix? Would removing o and c (but leaving the five others) really harm LDAP exception detection that much?

dnet avatar Apr 23 '18 10:04 dnet

It is a tough call. The regex is already pretty specific, so making changes could create a false negative situation.

It seems like the issues you have reported so far (this and #45) have come on .js files. Maybe we should really be looking at a way to specify the types of files (either MIME type or extension) that should be scanned, or lowering the confidence of results when they appear on what should be a static file.

augustd avatar Apr 23 '18 20:04 augustd

That's a great idea, methods getInferredMimeType() and getStatedMimeType() of the class IResponseInfo could be used for getting the MIME type of the response. Sometimes these JS monsters are generated dynamically, so file extension is non-existent in the request, however, it could still be useful, method getURL of the class IRequestInfo is a good way to get that. Maybe with a blacklist approach (like ignore this rule if MIME type or extension suggests JS) we could minimize false negatives.

What do you think? Should I implement this and submit a pull request, or do you prefer to tackle it?

dnet avatar Apr 24 '18 07:04 dnet

I'd prefer to see the confidence rating bumped down by one (e.g. Firm -> Tentative) rather than having the rule be completely skipped. As you say, sometimes these files are generated dynamically, and that could throw errors.

It will be a while before I have time to do this so by all means send a pull request!

augustd avatar Apr 24 '18 09:04 augustd

I'd prefer to see the confidence rating bumped down by one (e.g. Firm -> Tentative) rather than having the rule be completely skipped.

I just had the same thought ~15 minutes after posting my reply. :)

dnet avatar Apr 24 '18 09:04 dnet