albinowax
commented
3 years ago I can't replicate this, maybe the cache-buster is coming from elsewhere?
Open irsdl opened 3 years ago
albinowax
commented
3 years ago I can't replicate this, maybe the cache-buster is coming from elsewhere?
alonek1
commented
2 years ago I have same problem, It seems Origin is set by paramminer . when i stop the paramminer the request sent without problem.(server checks the origin against CORS)
albinowax
commented
2 years ago Which version of Param Miner are you using? Can you show me an example request in the Logger?
nevkel
commented
1 year ago Hi. I am also experiencing the behavior described above when using param miner with Burp Pro v2023.5.4. I have all other extensions disabled; only param miner enabled (Using albinowaxUtils v1.03; Loaded Param Miner v1.4f). I am attempting to guess GET query params. Each guess request has an Origin request header added by param miner with a random domain value, different for each request/guess attempt .e.g. Origin: https://nx60mb85.com). However, because the target implements CORS it just returns a 403 Forbidden with 'Invalid CORS request' as the body for each response. Is there a way to stop the injection of Origin request headers by param miner?
albinowax
commented
1 year ago Thanks for the report @nevkel . Can you provide a screenshot of your param miner settings?
nevkel
commented
1 year ago Hi James,
I've attached a screenshot of my param miner settings. Almost all is default, just threads and canary changed.
As a workaround, I simply fired up another instance of Burp Pro as an upstream proxy and used the Proxy match & replace with a regex to swap out the random domain names injected in the Origin: request header for a legit domain name. Then I found 10 previously unknown query string params ;-)
Sweet as!
Have a nice day!
neville
Sent: Wednesday, June 28, 2023 at 4:42 PM From: "James Kettle" @.> To: "PortSwigger/param-miner" @.> Cc: "nevkel" @.>, "Mention" @.> Subject: Re: [PortSwigger/param-miner] Origin header manipulation can't be stopped? (#48)
Thanks for the report @nevkel . Can you provide a screenshot of your param miner settings?
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: @.***>
albinowax
commented
1 year ago Thanks, I'll take a look when I do my next push on Param Miner
What setting should be used to stop param miner messing with the Origin header when guessing GET or POST parameters? I have used the following settings but it still changes the Origin header which breaks my test (API does not work without the right Origin header):