Passive-aggressive scan checks | Blog

Here at PortSwigger, our goal is to enable the world to secure the web. Our scanner sits at the core of this value – quickly surfacing issues and vulnerabilities that may be present in a web application.

However, lately we’ve become concerned that some discovered issues aren’t being taken seriously enough, particularly those found whilst passively browsing. Although these passive vulnerabilities aren’t as juicy as your RCEs or your SSRFs, we can’t sleep soundly at night until we know they’re all fixed.

To this end, we put our heads together on the scanner team and came up with a few ideas:

• What if we increase the font size for the advisories of passive issues? Too small …
• How about we randomly delete a system file every time a passive issue is found? Too big …
• Could we make Burp Suite actually burp in the presence of passive issues? It’s been done before …

When we spoke to our marketing folks, they made it very clear that we’re not allowed to be straight up hostile with our users. In fact, they couldn’t stress this enough.. back to the drawing board again. Then it hit us: what if there’s a way to really push users towards fixing these vulnerabilities without them (or marketing) realizing that’s what we are doing.

With all of this in mind; I’m pleased to announce that, as of today, all passive checks detected by Burp Scanner will be replaced with passive-aggressive checks! Here’s a sneak preview:

Old passive check	New passive-aggressive check
Cleartext submission of password	Sending passwords over plaintext HTTP - what could possibly go wrong?
Long redirection response	It’s really up to you if you want to return data no-one can see.
Duplicate cookies set	Setting this cookie once is probably enough isn’t it?
Vulnerable JavaScript dependency	Should you really still be using that JavaScript dependency?
Session token in URL	Is the URL definitely the best place to put your session tokens?
Password returned in URL query	Didn’t you learn from the session token?
Social security numbers disclosed	You wouldn’t want someone to hack your HTML source code and find these would you?
Email addresses disclosed	Everyone loves receiving spam emails. You might be helping!
Private key disclosed	Define: Private. "belonging to or for the use of one particular person or group of people only."
Content type incorrectly stated	That content type doesn’t look quite right, does it?
Unencrypted communications	https://letmegooglethat.com/?q=letsencrypt

We really hope our users enjoy this new update and that it encourages remediation of these important issues. It should hit Burp Suite’s Stable release channel by midday today: April 1st.