irsdl
commented
8 years ago This especially happens when using Proxy.
Open irsdl opened 8 years ago
irsdl
commented
8 years ago This especially happens when using Proxy.
dnet
commented
8 years ago I haven't really used this with proxy, maybe that's the reason why I haven't seen this yet. :)
dnet
commented
8 years ago Could you send an example? Right-click the original request in the Proxy > HTTP History tab, select Save item and make sure to have [x] Base64-encode requests and responses checked on the bottom of the file picker dialog before saving it. You can either include the contents of the file here, or send me a mail with this attached.
irsdl
commented
8 years ago It really just sends it in the middle of requests in proxy when they have "Authorization" header. My website uses Basic Authentication for areas that are not accessible using OAuth.
dnet
commented
8 years ago So what should be the desirable behavior?
You see the library I used (Signpost) is for signing requests that has no authorization header at all (see the first item in the above list), hence the weird behavior in case of having these already present. The original scope of the plugin was enabling requests for Repeater, Intruder and Scanner. I'm not saying we shouldn't implement what you wrote, but this functionality should be extended, and the first step would be specifying behavior in the scenarios detailed in the above list.
This extension sends an invalid additional request per each valid request. This can be monitored using Logger++ or other extensions in front of Burp. Problems in the additional request are as follows: