simioni87 / auth_analyzer

Burp Extension for testing authorization issues. Automated request repeating and parameter value extraction on the fly.
MIT License
185 stars 48 forks source link

HTTP/2 requests not supported #15

Closed Cotsios26 closed 3 years ago

Cotsios26 commented 3 years ago

Hello,

Hope you are well and thanks for your awesome plugin.

While testing with it recently I have noticed that although the first request is made using HTTP/2 protocol and its successful, the repeated tampered request with the different JWT auth session fails with the following return message:

HTTP/1.1 505 HTTP Version Not Supported

Seems like the extension sends the request using only HTTP/1.1?

Could you please have a look? Hope its an easy fix.

Thanks! :)

simioni87 commented 3 years ago

Hi,

Thanks for the ticket. I assume that the used API method makeHttpRequest() does not support HTTP/2.0. I will do some further investigation if I have some time and report the bug to Portswigger if I am right.

simioni87 commented 3 years ago

It seems as if I am right and this issue is already reported:

https://forum.portswigger.net/thread/http2-failure-in-extensions-callbacks-makehttprequest-69a3770f

Cotsios26 commented 3 years ago

Hello there,

Thanks for the prompt response appreciate it! :) Yes it does look like to be the issue, seems quite fresh as well. Will have to wait a bit i guess :)

Have a great one.

Brest Regards!