提出 #545457: shuanx BurpAPIFinder v2.0.2 Denial of Service情報

タイトル	shuanx BurpAPIFinder v2.0.2 Denial of Service
説明	Summary BurpApiFinder v2.0.2 is a BurpSuite plugin designed to discover APIs during security testing. The plugin stores API-related data in a SQLite database file named BurpApiFinder.db. Over time, this file accumulates data without any automatic cleanup mechanism. As a result, the file size can grow from a few kilobytes to several gigabytes, leading to a Denial of Service (DoS) condition. When BurpSuite attempts to load the BurpApiFinder.db file during startup or plugin initialization, the excessive file size causes significant delays, making the application unresponsive or extremely slow. This behavior effectively renders the tool unusable until the file is manually cleaned or removed. Root Cause The root cause of this vulnerability is the lack of a data retention policy or automatic cleanup mechanism in BurpApiFinder. The plugin continuously appends data to the BurpApiFinder.db file without purging old or unnecessary records. Over time, this leads to an excessively large file that impacts BurpSuite's performance. Proof of Concept (PoC) Setup: Install BurpApiFinder v2.0.2 in BurpSuite. Use the plugin to scan multiple applications over an extended period (e.g., several months). Observation: The BurpApiFinder.db file grows significantly in size (e.g., from a few KB to several GB). BurpSuite becomes slow or unresponsive during startup or when interacting with the plugin. Reproduction Steps: Launch BurpSuite with BurpApiFinder installed. Observe the delay in loading the plugin or the entire application. Check the size of the BurpApiFinder.db file (located in the plugin's directory). Impact Performance Degradation: BurpSuite becomes slow or unresponsive, hindering security testing activities. Operational Disruption: Users may need to manually clean or delete the BurpApiFinder.db file to restore normal functionality. Data Loss Risk: Manual cleanup may result in the loss of valuable API discovery data.
ソース	⚠️ https://github.com/shuanx/BurpAPIFinder/issues/18
ユーザー	Web Hacker Team (UID 83456)
送信	2025年03月28日 13:38 (1 年 ago)
モデレーション	2025年04月12日 13:55 (15 days later)
ステータス	承諾済み
VulDBエントリ	304573 [shuanx BurpAPIFinder 迄 2.0.2 BurpApiFinder.db サービス拒否]
ポイント	20

◂ 前概要次 ▸

Interested in the pricing of exploits?

See the underground prices here!