Open slicingmelon opened 5 months ago
Hi
Could you provide some more information on why you would like to send requests to different hosts at the point of the scan check?
Once you get to this point in the Scanner, the scope of the item you are scanning is quite narrow. Generally speaking, you shouldn't be making requests to different targets at this point.
Hello,
One scenario would be in a microservices-based environment, you might need to send a request to a different host to fetch a token, and then use it in a subsequent request. Another example, I would like to communicate with a different host/API, to confirm the validity of a potential secret leaked in the response.
Hi
Thanks for that information.
You BCheck should not be handling authentication. Instead, this should be done on a wider level. For example, by providing application logins as part of your scan configuration or using session handling rules.
Confirming the validity of a secret may be better suited to manual confirmation or performed separately from a scan. If you prefer, you could write an extension for this functionality instead. If you'd like to find out more about writing extensions, you can check out our documentation here.
What is the problem you are trying to solve?
Add support to send requests to different target URLs. This could be done by adding support to set the target host on the request that is going to be sent.
How are you currently being hindered by this problem?
So given the following bchecks code:
So even though I am setting the
Host
header, the request is still being sent to the original hostname, having my custom Host header being set. It would be great if we could send requests to different hosts, to be able to develop more complex bchecks templates.Thank you!