Mishandling of multiple set-cookie HTTP response headers

[sergemister]

If a web server returns several set-cookie headers, for example with the JSP:

<%@ page import="javax.servlet.http.Cookie" %>
<%
for (int i=0;i<3;i++) {
    response.addCookie(new Cookie("cookie"+i,"value"+i));
}
%>
Cookies sent

then if the Reshaper is configured to add an unrelated HTTP response header, the modified response contains multiple instances of the same set-cookie header, rather than the original set-cookie header values. For example,

Set-Cookie: cookie0=value0
Set-Cookie: cookie1=value1
Set-Cookie: cookie2=value2

becomes:

Set-Cookie: cookie2=value2
Set-Cookie: cookie2=value2
Set-Cookie: cookie2=value2

In detail, Reshaper was configured as follows:

• In the Whens, Event Direction was set to Response and Matches Text was set to the URL of the server returning multiple cookies.
• In the Thens, Set Value was configured with Response Header, adding the header Reshaper with value WasHere.

I believe the problem is in HttpHeaders.getHeaders():

cookies = new HttpCookies(headerParts[1].trim());
headers.add(new CaseInsensitiveString(headerParts[0]), new Mapped<>(() -> this.cookies.getValue()));

These lines are in a loop and the cookies member variable is overwritten each time through the loop.

This was tested in Reshaper version 2.3.1.

[ddwightx]

@sergemister Thanks for the excellent report and diagnosis. Reshaper is definitely handling the Set-Cookie header incorrectly. I will look into how to fix that.

Note, if this is a blocking issue for you and you need an immediate workaround, you can use Set Value with Response Headers to append or replace (using regex) headers.

[ddwightx]

To be fixed with https://github.com/synfron/ReshaperForBurp/issues/56

[sergemister]

Thanks for addressing this. I tested my scenario in the 2.3.2 version and it is working now.