J2EEScan icon indicating copy to clipboard operation
J2EEScan copied to clipboard

Published 20 hours ago verified publisher icon ilmila

UI not combining multiple findings

Open AkikoOrenji opened this issue 3 years ago • 2 comments

I noticed a few findings on my assessment were 'missing' and working with portswigger we narrowed it down to J2EEScan finding similar issues in different injection points in the same application. It was confirmed with Logger++ that J2EEScan doesn't roll up the finding in a similar manner to other extensions.

In the the attached screen shot you can see that NoSQL Injection Detected (from a different extension) rolls up mutiliple findings in different requests and injection points.

image

Even though this project has multiple findings for the same XXE in different locations i only see one finding. This makes it hard to validate the other findings (apart from the first ) as the Request and Response aren't logged anywhere (unless you are using additional logging which you need to go search through the find the other effected injection points). This issue also presents itself as an inconsistency throughout the UI (especially when using mutiple Audit tasks) as additional findings are shown in some areas but not others e.g.

e.g. Details page of audit screen shows 0 high severity issues:

image

Audit Items page shows 3 high severity issues (i confirmed these were J2EEScan issues)

image

Issue activity page shows no issue:

image

Issue activity summary page shows only one High severity issue for a different task.

image

Is this just me or is this a possible improvement that could be made to how mutliple issues are combined in J2EEScan

Let me know if you need any other info

AkikoOrenji avatar Feb 16 '22 22:02 AkikoOrenji

Thank you for your ticket. I ask you:

  • In the first image you applied some filters (ex.: hide the 40x response). If the vulnerability is detected in a 40x response the issue is hidden by that filter. Could you please remove all filters in that window and verify again if the correct number of issues are included?
  • I would like to have some more information regarding: Burp version used, the output of the j2eescan plugin (error and output)

ilmila avatar Feb 22 '22 16:02 ilmila

Thanks for looking into this. With show all set as the filter its the same behaviour

image

Burp is v2021.12.1

Errors attached (anywhere you see 'redacted' the values were exactly the same as the others finding) j2ee-err.txt j2ee-output.txt

AkikoOrenji avatar Feb 22 '22 22:02 AkikoOrenji