False positives in scan checks

[Hannah-PortSwigger]

Hi there!

We've had a user of your extension email in regarding some false positives detected by your extension.

They provided the following details:

The Advisory tab(on screenshot) states:

Then the Request tab of same finding/issue I can clearly see the code_challenge parameter does exists making the "OpenID Authorisation Code Flow without PKCE Protection Detected" invalid:

They also had some queries regarding how you determine the confidence level of the issue raised, and if this could further be improved.

Are you able to look into these matters in some more detail?

If you have any improvements to your extension that you would like to be published on the BApp Store, then please raise a pull request against the PortSwigger fork of your extension and drop us an email at bapps@portswigger.net - we'd love to keep your BApp up-to-date 😄

[akabe1]

Hi Hanna, in order to investigate this behavior it is necessary to reproduce its conditions. Could you provide more details on the target webapp (it seems a particular configuration of google mail) and the type of scan (active/passive) used?