Open irsdl opened 3 years ago
I can't replicate this, maybe the cache-buster is coming from elsewhere?
I have same problem, It seems Origin is set by paramminer . when i stop the paramminer the request sent without problem.(server checks the origin against CORS)
Which version of Param Miner are you using? Can you show me an example request in the Logger?
Hi. I am also experiencing the behavior described above when using param miner with Burp Pro v2023.5.4. I have all other extensions disabled; only param miner enabled (Using albinowaxUtils v1.03; Loaded Param Miner v1.4f). I am attempting to guess GET query params. Each guess request has an Origin request header added by param miner with a random domain value, different for each request/guess attempt .e.g. Origin: https://nx60mb85.com). However, because the target implements CORS it just returns a 403 Forbidden with 'Invalid CORS request' as the body for each response. Is there a way to stop the injection of Origin request headers by param miner?
Thanks for the report @nevkel . Can you provide a screenshot of your param miner settings?
Hi James,
I've attached a screenshot of my param miner settings. Almost all is default, just threads and canary changed.
As a workaround, I simply fired up another instance of Burp Pro as an upstream proxy and used the Proxy match & replace with a regex to swap out the random domain names injected in the Origin: request header for a legit domain name. Then I found 10 previously unknown query string params ;-)
Sweet as!
Have a nice day!
neville
Sent: Wednesday, June 28, 2023 at 4:42 PM From: "James Kettle" @.> To: "PortSwigger/param-miner" @.> Cc: "nevkel" @.>, "Mention" @.> Subject: Re: [PortSwigger/param-miner] Origin header manipulation can't be stopped? (#48)
Thanks for the report @nevkel . Can you provide a screenshot of your param miner settings?
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: @.***>
Thanks, I'll take a look when I do my next push on Param Miner
What setting should be used to stop param miner messing with the Origin header when guessing GET or POST parameters? I have used the following settings but it still changes the Origin header which breaks my test (API does not work without the right Origin header):