Tuesday, October 15, 2024
HomePENTESTINGNew Burp Suite Version 1.7.23 adds support for 5 new Vulnerabilities

New Burp Suite Version 1.7.23 adds support for 5 new Vulnerabilities

Published on

Malware protection

Burp Suite is a graphical tool for testing Web application security. The tool is composed in Java and created by PortSwigger Security.

Burp Scanner is composed by industry-driving penetration testers. Burp Scanner incorporates a full static code investigation engine for the discovery of security vulnerabilities.

Burp’s scanning logic is persistently refreshed with upgrades to guarantee it can locate the most recent vulnerabilities.

- Advertisement - SIEM as a Service

This release adds support for 5 new Vulnerabilities

  • CSS injection – reflected and stored.
  • Link manipulation – reflected and stored.
  • Client-side HTTP parameter pollution – reflected and stored.
  • Form action hijacking – reflected and stored.
  • Open redirection – stored.

CSS injection

CSS injection vulnerabilities emerge when an application imports a template from a client provided URL, or implants client input in CSS hinders without sufficient escaping.

They are firmly correlated with cross-site scripting (XSS) vulnerabilities however regularly trickier to abuse it.

  • Executing arbitrary JavaScript using IE’s expression() function.
  • Using CSS selectors to read parts of the HTML source, which may include sensitive data such as anti-CSRF tokens.
  • Capturing any sensitive data within the URL query string by making a further style sheet import to a URL on the attacker’s domain, and monitoring the incoming Referer header.

Link Manipulation

Link manipulation happens once associated application embeds user input into the trail or domain of URLs that seem at intervals application responses.

An attacker can use this vulnerability to construct a link that, if visited by another application user, can modify the target of URLs at intervals the response.

It’s going to be potential to leverage this to perform varied attacks, such as:

  • Manipulating the path of an on-site link that has sensitive parameters in the URL. If the response from the modified path contains references to off-site resources, then the sensitive data might be leaked to external domains via the Referer header.
  • Manipulating the URL targeted by a form action, making the form submission have unintended side effects.
  • Manipulating the URL used by a CSS import statement to point to an attacker uploaded a file, resulting in CSS injection.
  • Injecting on-site links containing XSS exploits, thereby bypassing browser anti-XSS defenses, since those defenses typically do not operate on on-site links.

Client Side HTTP Parameter

Client-side protocol parameter pollution (HPP) vulnerabilities arise once associated application embeds user input in URLs in an unsafe manner.

An attacker will use this vulnerability to construct a universal resource locator that, if visited by another application user, can modify URLs at intervals the response by inserting extra question string parameters and typically predominate existing ones.

This might lead to links and forms having sudden facet effects. The security impact of this issue depends for the most part on the character of the appliance practicality.

Form action hijacking

Form action hijacking vulnerabilities arise once application places user-supplied input into the action URL of an HTML form.

An attacker will use this vulnerability to construct an URL that, if visited by another application user, can modify the action address of a kind to purpose to the attacker’s server.

If a user submits the form then its contents, together with any input from the victim user, are going to be delivered to the attacker server.

Even if the user does not enter any sensitive info, the form should still deliver a legitimate CSRF token to the attacker, allowing them to perform CSRF attacks.

Open redirection

Open redirection vulnerabilities emerge when an application joins client controllable information into the target of a redirection in a dangerous way.

An attacker can develop a URL inside the application that makes a redirection to an arbitrary external domain. This conduct can be utilized to encourage phishing assaults against clients of the application.

Also Read

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

HORUS Protector Delivering AgentTesla, Remcos, Snake, NjRat Malware

The Horus Protector crypter is being used to distribute various malware families, including AgentTesla,...

ErrorFather Hackers Attacking & Control Android Device Remotely

The Cerberus Android banking trojan, which gained notoriety in 2019 for its ability to...

Hackers Allegedly Selling Data Stolen from Cisco

A group of hackers reportedly sells sensitive data stolen from Cisco Systems, Inc.The...

Fortigate SSLVPN Vulnerability Exploited in the Wild

A critical vulnerability in Fortinet's FortiGate SSLVPN appliances, CVE-2024-23113, has been actively exploited in...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Cloud Penetration Testing Checklist – 2024

Cloud Penetration Testing is a method of actively checking and examining the Cloud system...

Top 10 Best Penetration Testing Companies & Services in 2024

Penetration Testing Companies are pillars of information security; nothing is more important than ensuring...

An Ultimate Checklist for Application Security Testing

According to a report by MarketsandMarkets, “The application security Testing market is expected to...