Security research involves a lot of failure. It’s a perpetual balancing act between taking small steps with a predictable but boring outcome, and trying out wild concepts that are so crazy they might just work… but probably won’t.
At PortSwigger Research, we’ve observed that making it easy to try out wild ideas is really valuable, because it minimises the cost of failure, encouraging ambitious experiments and leading to exciting discoveries.
We try many of our ideas out by coding custom Burp extensions, and running them on a 20gb project file which contains the homepage of ~every website that we’re legally allowed to test. You can find more details on how we generate this project file in Cracking the Lens.
Burp Suite recently launched a powerful new feature called Bambdas that lets users code mini-extensions directly inside the proxy, complete with code-autocomplete, syntax-highlighting and instant evaluation. We quickly found that this made it even easier to mine the project file for vulnerabilities by eliminating the need to use a separate IDE and providing instant feedback.
We quickly ended up with a bunch of Bambdas for spotting HTTP endpoints exhibiting unusual behaviour – here’s a few of our favourites which flagged at least one real website:
Large redirect responses
This Bambda will flag redirect responses with a body over 1000 bytes – this can indicate sites that forgot to terminate script execution when the user fails authentication, typically leading to information disclosure:
return requestResponse.hasResponse() &&
requestResponse.response().statusCode() <= 399 &&
requestResponse.response().statusCode() >= 300 &&
requestResponse.response().body().length() > 1000;
