simioni87 / auth_analyzer

Burp Extension for testing authorization issues. Automated request repeating and parameter value extraction on the fly.
MIT License
184 stars 47 forks source link

Issue when parsing cookie #26

Closed matiassequeira closed 2 years ago

matiassequeira commented 2 years ago

Hello!

The following response:

HTTP/2 302 Found
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: Set-Cookie
Strict-Transport-Security: max-age=31536000;includeSubDomains;preload
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
Set-Cookie: xsrf-token=aa7b0494-9f22-XXX; Path=/new; Secure; SameSite=None
X-Frame-Options: SAMEORIGIN
Location: /REDACTED
Content-Length: 0
Date: Fri, 04 Mar 2022 16:21:17 GMT

Is not being picked up by the tool. Could this be due to the fact that there's a Set-Cookie value before this?

EDIT: My session looks like this: image

simioni87 commented 2 years ago

Hi! I assume this is due to the redirection. The Burp Extender API method makeHttpRequest probably follows the redirection automatically and therfore the final response is processed for extraction. Could be difficult to investiagte on this. Hint: You don't have to define the Cookie Header with the insertion point to replace the extracted Cookie. This will be done with the specified parameter automatically...

matiassequeira commented 2 years ago

Hi, thanks for your response! I'm currently writing a Burp extension and if I correctly recall, makeHttpRequest does not follow redirects. Regarding your hint: so if I understood correctly, the "Headers to replace" field could be empty?

simioni87 commented 2 years ago

You are right, redirects will not be followed. However, I am not able to reproduce the issue. Extracting the cookie on redirects works for me: grafik

Probably you run into some issues because you have additional set the Cookie header in the "Headers to replace" field. Leave this field empty if you specify the Cookie as a parameter.

simioni87 commented 2 years ago

Issue will be closed, see comment above...