Open irsdl opened 8 years ago
This especially happens when using Proxy.
I haven't really used this with proxy, maybe that's the reason why I haven't seen this yet. :)
Could you send an example? Right-click the original request in the Proxy
> HTTP History
tab, select Save item
and make sure to have [x] Base64-encode requests and responses
checked on the bottom of the file picker dialog before saving it. You can either include the contents of the file here, or send me a mail with this attached.
It really just sends it in the middle of requests in proxy when they have "Authorization" header. My website uses Basic Authentication for areas that are not accessible using OAuth.
So what should be the desirable behavior?
You see the library I used (Signpost) is for signing requests that has no authorization header at all (see the first item in the above list), hence the weird behavior in case of having these already present. The original scope of the plugin was enabling requests for Repeater, Intruder and Scanner. I'm not saying we shouldn't implement what you wrote, but this functionality should be extended, and the first step would be specifying behavior in the scenarios detailed in the above list.
This extension sends an invalid additional request per each valid request. This can be monitored using Logger++ or other extensions in front of Burp. Problems in the additional request are as follows: