Comments (4)
Hello,
Thanks for getting in touch.
I don't believe UUID should be treated as a secret. In general, I think that UUID should not be used - for example - as a security token, see RFC-4122 - Security Considerations:
Do not assume that UUIDs are hard to guess; they should not be used as security capabilities.
Despite the fact that some implementations might incorporate cryptographic functions to enhance the strength of its randomness.
I think you might want to check out this Burp extension UUID Detector
:
https://portswigger.net/bappstore/65f32f209a72480ea5f1a0dac4f38248
from burp-js-miner.
Sorry, my message is certainly not clear.
I also don't think that a UUID should be treated as a secret nor that it should be used as such.
To put more context in my proposal, I was hunting on an application when I discovered valid UUID (user belongings) in a JS file (which the suggested extension does not detect).
Although they are not secrets, UUIDs are often used as a defense mechanism against IDORs and this is unfortunately not enough, especially when we find a way to get one or more valid UUIDs as in this case.
Regards
from burp-js-miner.
Hello again,
Thanks for the clarification.
I understand there might be a need for something to detect those UUIDs, I quickly checked the source code of the burp extension I mentioned above and I think it can do even a better job than me adding that UUID regex. It sort of analyze the extracted UUIDs with the version and try to provide some info. Not sure if this may help, I didn't try it myself.
But I would rather avoid adding a feature that is already implemented in another burp extension. I don't see any benefit of doing so, it may just produce more false positives from the extension, which is undesirable.
from burp-js-miner.
Okay,
I understand, thanks for the answer :)
Regards
from burp-js-miner.
Related Issues (4)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from burp-js-miner.