A-J-C
commented
10 months ago Hi @Pyvonix thanks for this, it is really useful. We'll get the documentation fixed ASAP and look into the header issue.
Closed Pyvonix closed 5 months ago
A-J-C
commented
10 months ago Hi @Pyvonix thanks for this, it is really useful. We'll get the documentation fixed ASAP and look into the header issue.
Michelle-PortSwigger
commented
10 months ago Hi @Pyvonix
We've been looking into the Header issue and replicated the problem with the Cookie header but not the Authorization header.
The BCheck is removing the Cookie header, but it is then being added back in from Burp's cookie jar due to the Session handling rules (which are applied after the BCheck rules). When testing, if I disabled the default session handling rule, the Cookie header was correctly removed. I've raised this with the team so we can review the behavior.
In my tests, the Authorization header was being removed successfully. Do you have any other session handling rules activated or any other extensions installed that could cause a difference in our test environments?
Pyvonix
commented
10 months ago @Michelle-PortSwigger Yes, you totally right. I have an extension that automatically adds the Authorization header.
So, here is my question: After the BCheck generates the request, is it correct that extensions are applied there?
Could we imagine so kind of parameter (e.g. ignore_extensions) to bypass/skip active extensions to prevent any side effect on requests sent by BCheck?
ignore_extensions [true | false] (default: false)Changes made by both session handling rules and extensions will be applied after the BCheck.
This is an interesting use case so we'll chat through the options here. There are potential scenarios where some extensions may not be modifying the request itself, so you might not want to disable all of them.
Pyvonix
commented
10 months ago I'd be interested to know what you'd decide. It's look like quite challenging topic!
A-J-C
commented
10 months ago @Pyvonix docs have been fixed, thank you for reporting.
Hi team,
First of all, thanks for the great work on BCheck! It's an excellent feature. I really appreciate it, that the reason why I want to contribute by reporting some issues.
Use case: create a BCheck rule that will request admin endpoints without authentication information (headers: cookie & authorization)
removing headerson bcheck-definition-reference:I went to the documentation sub-section of
send request.So at this point, I didn't understand why I had to specify the value of the headers I want deleted. But when I validated my rule it gave me an error on the position of the character
:Then, I looked at the
descriptioncolumn in front of the rowremoving headers:in the table above:So, this explains why I got a validation error of the rule: compared to the documentation's example (showed above). I had to give a list of headers, not a dictionary.
Improve/fix the documentation with:
Now my rule is valid, let's move on the implementation, here is the minimal reproducible example (MRE):
While launching the scan, the requests always contain headers that are supposed to be removed:
CookieorAuthorization. So, the rule therefore matches where it shouldn't.It is a known issue that removing something with a rule (headers there) does not work?