Client-Site Path Traversal Exploitation

This extension provides advanced capabilities and automation for finding and exploiting Client-Side Path Traversal.

This extension is a Burp Suite Passive Scanner. It reads your proxy history and looks for query parameters reflected inside the path of any other query. Please note that it will not find any DOM-based or stored CSPT until you use the canary token feature.

Usage

1. Browse your target application
2. Go to the CSPT tab
3. Verify that the source and sink scopes are correct
4. Check the sink HTTP methods you want to search
5. Click on Scan

Understanding scan results

• The reflected values are on the left. Click one to see the associated sources and the potential sinks.
• To confirm it is not a false positive, you can right-click on a source and use the "Copy URL With Canary" feature. Then copy this URL inside your browser. If this URL triggers a request with the canary token inside the path, it means that a CSPT is present and an issue will be created.
• Instead of testing all the sources one-by-one, you can use the "Export Sources With Canary". It will copy all potential sources with canaries. Then you just need to open all the links with your browser (some browser extensions are able to do that).
• You can also modify or regenerate a new canary token.
• In case some results are false positives, you can discard them. They will not be displayed in the next scan.

Finding sinks

If you have identified a CSPT, you will want to find exploitable sinks. The extension can help you to do it by right-clicking on a sink to "Send sinks(host/method) To Organizer".

False postitives list

• To discard false positives, you just need to right-click on a source and set either the Parameter or URL as a false positive.
• The "False Positive List" summarizes all defined rules and can be modified.