Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature request: Padding oracle passive scan check #4

Open
floyd-fuh opened this issue Jun 21, 2024 · 1 comment
Open

Feature request: Padding oracle passive scan check #4

floyd-fuh opened this issue Jun 21, 2024 · 1 comment

Comments

@floyd-fuh
Copy link

floyd-fuh commented Jun 21, 2024

I think a really nice addition to this extension would be a passive scan check.

The passive scan check could go through all parameters and check if one of them is exactly a multiple of the most common block size (16) in hex or base64, then add an informational issue in Burp that this parameter should be checked for padding oracle. An advanced version of it would also check the entropy of the hex/base64-decoded version and only report the issue if the parameter has a high entropy.

@GovTech-CSG
Copy link
Owner

Hi, I am afraid this might create a lots of unnecessary noise to the burp scan window as many web requests do have base64 and size(16) data which are not part of the encryption. Furthermore, the aim of the extension is to target both Burp Suite Community and Professional edition so that it can benefit wider community, the burp passive scan feature seems like only availabe in Burp Suite Professional version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants