shuanx BurpAPIFinder Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in shuanx BurpAPIFinder versions through 2.0.2. The issue arises from the plugin's management of the BurpApiFinder.db file, which accumulates data over time without an automatic cleanup process. This can cause the file size to increase dramatically, leading to performance degradation in BurpSuite. When the application loads the large database file during startup or plugin initialization, it can become unresponsive or extremely slow, disrupting normal usage until the file is manually cleared or removed.

Impact

Exploitation of this vulnerability causes BurpSuite to become slow or unresponsive, particularly during startup or when interacting with the affected plugin. This performance degradation hinders security testing activities and may require users to manually delete or clean the BurpApiFinder.db file, risking the loss of valuable API discovery data.

Reproduction

To reproduce this vulnerability, install BurpAPIFinder version 2.0.2 in BurpSuite. Use the plugin to scan multiple applications over an extended period, such as several months. The BurpApiFinder.db file will grow significantly in size, from a few kilobytes to several gigabytes. During this time, BurpSuite will become slow or unresponsive, especially when loading the plugin or the entire application. The size of the BurpApiFinder.db file can be checked in the plugin's directory.