lorenzog / burpaddcustomheader Goto Github PK

Custom header are added to only those request which is send for spider. so i am only able to view modified requests in target tab.

Is it intentional behavior or what?

Hi,

thanks for the extension.

The configuration seems pretty straight forward but maybe I missed something.

When I just do a automated scan with burp, I see using logger++ requests with the Authentication: bearer token I supplied but also requests with an old token I used while inspecting the application manually.

So my request / question is: is that possible to replace any Authentication bearer token by the one supplied by the user?

Cheers, Dirk

PS: yes, in 'tools scope' all relevant check boxes are selected

Currently, the extension only parses the response body. So here's a small patch fixing this behavior (it now parses the whole response, including headers):

diff -ru add-custom-header.orig/burp/BurpExtender.java add-custom-header.new/burp/BurpExtender.java
--- add-custom-header.orig/burp/BurpExtender.java	2019-10-02 10:49:58.240958086 +0200
+++ add-custom-header.new/burp/BurpExtender.java	2019-10-02 10:59:07.190833752 +0200
@@ -93,8 +93,7 @@
                 if (_responseBody == null) return;
                 IResponseInfo macroResponse = helpers.analyzeResponse(_responseBody);
                 if (macroResponse == null ) return;
-                int bodyOffset = macroResponse.getBodyOffset();
-                String responseBody = helpers.bytesToString(_responseBody).substring(bodyOffset);
+                String responseBody = helpers.bytesToString(_responseBody);
                 Matcher m = p.matcher(responseBody);
                 if (m.find()) {
                     token = m.group(1);

Could this extension be used under the Enterprise version? If not, could I ask that this extension be adjusted to use under Enterprise. We can create long life JWTs for this testing or possibly use a different method to get a JWT that could be picked up by this extension for testing.

An idea could be to insert more than one custom header.
Perhaps, a tabbed interface where representing a linked list (so the callback would instead go to the next instance).

TBD

Your extension looks like exactly what I need, unfortunately I can't seem to get the regex match to work, even with the simple Flask app and a match of (.*). I'm working through your source now, but wanted to open an issue in case it was something simple.

Hi, I'm a big fan of this extension, but the current situation is messy, as the BAppStore version misses some interesting patches (extract from headers+body, avoid decoding errors for binary data), as shown in these 2 PR.

However, to be accepted, pull requests MUST come from the original repository AND original author. This isn't the case, and that's why the BAppStore version is lagging behind.

Could you please:

• integrate the binary decoding patch
• integrate these mostly cosmetic changes
• open a PR against the portswigger version, including the changes above + the recently added 'extract from headers+body' fix

Thanks in advance!

Hi,
I have configured the extension once. Added it to my session and it worked flawlessly.
However after logging out of the application and getting a new bearer token on login. I am unable to update the automatically set header no matter what I do. What I've tried so far:

• Restart Burp (and after every step)
• Edited the values in the extension tab
• Deleted the session handling rule
• Disabled the extension

Nothing seems to resolve the issue. Even disabled and removed the header is getting added.
I am using Burp Suite Pro version 1.7.37.

Edit;
The more I think about it, it might be a session handling issue as the scope is also completely ignored. It should add the header to all requests in one subdirectory and specifically exclude it from another.

Hello,
It would be great if there was a possibility to replace the token after the JWT is expired. When scanning using this extension, the amount of requests is doubled. A possibility to check the validity of the token would be great before invoking the macro.

I know it is more a Burp issue than a extension thing as burp is executing the macro but it may be possible to implement this.

extension puts 2 space between : and header value. This breaks some functionality. Could you configure to put 1 space after : as it supposed to be?

exampleheader: value >>now
exampleheader: value >>what is supposed to be.
Thanks

Hi Lorenzo,

We've tried to use the Add Custom Header plugin to solve an issue on our side where we needed a 'Authorization: Bearer xyz' header that would be automatically update on every request.

Unfortunately we didn't get it working correctly, probably our fault due to not using it correctly. We've tried to find a manual for that reason, but didn't find it. Would you be so kind to let us know what we are doing incorrectly, so this could serve as a manual for all the other users that might face the same issue?

Our configuration
In Burp Suite Pro > Project options > Sessions > Macro's we've add a macro called 'get bearer', with under configurable items one added item called (parameter name): 'accesstoken' where we selected the token we need.

To test this macro actually worked we created a Burp Suite Pro > Project options > Sessions > Session Handling rule that just runs the macro and udpates the current request. Scope set to /test/ on the same site for every repeater request.

Going into repeater, and requesting /test/?accesstoken=test will actually show the word test being replaced with the accesstoken, confirming the macro works.

Adding the plugin
Now, we installed Add Custom header, set the header name to 'Authorization' prefix to 'Bearer' and selected a hard-coded value 'test'.

Again, created a Burp Suite Pro > Project options > Sessions > Session Handling rule with invoked the 'add custom header' macro (probably a typo in the readme that tells us to 'add bearer token' should be selected here?) and set the scope similar to above.

Going into repeater, and requesting /test/?accesstoken=test will actually show the word test being replaced with the accesstoken, confirming the macro works. And we see the header added, so the plug-in should now also be working.

Now the part we can't get working
We've tried to set the Add Custom Header to a regular expression header value, and set it to accesstoken":"(.*?)".
Now, we would have expected when running the repeater again to see the header to be added with the acccesstoken value, but instead we don't see any header being added anymore.

I tried building the extension myself and after it not working installing it from the BAppStore, but again it does not work, the header is not being added to the requests. I use All URLs as scope.
The Session Tracer is not catching any activity.

Hello,

just to let you know that Portswigger's fork has some commits from September 2018 you may want to backport: https://github.com/PortSwigger/add-custom-header/commits/master

And many thanks for this extension, it's really useful :-D