Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

302 Found and 302 Moved Temporarily

Chim | Last updated: Oct 16, 2023 04:26PM UTC

When I tried to run a payload, I mostly received status code 302 Found or 302 Moved Temporarily which stop the target website from rendering correctly and display a blank page with 302 Found message. This issue is hit and missed. I would like to have a consistent return code of 200 OK to display the Response page correctly. How do I run a payload to have it run consistently with status code 200 OK? I even tried to put delay in between payload but it doesn't work. However, when I shut down Burpsuite, then the target website is working as expected.

Michelle, PortSwigger Agent | Last updated: Oct 17, 2023 10:18AM UTC

This may be just how the site responds to the payload you are sending. If you proxy via Burp to the same parts of the site as you do when you're browsing normally, do the pages display as you expect? When you send a payload, do you always get the same response for the same payload?

Chim | Last updated: Oct 18, 2023 12:17AM UTC

When I proxy via Burp, sometimes the website response normally with 200 OK status code. But most of the time it return the 302 Found or Moved Temporarily. For example, if I ran a payload, I would receive about 20% 200 OK and the rest are 302 which display a blank page. However, on a rare occasion with the same setup, sometimes I get 95% 200 OK status code. I tried to disable all the redirect URL in firefox and Burp, but got no luck. I suspected it got to do with session cookies. When I empty the cookies jar, the result are better but it still in consistent. It looks like the target website have many javascript which try to redirect to a different URL. How do I force it to remain on the same URL?

Michelle, PortSwigger Agent | Last updated: Oct 18, 2023 08:35AM UTC

Can you please email some screenshots or a screen recording to support@portswigger.net to help us understand your scenario? The responses will be based on how the application is reacting to the requests that have been sent. You mentioned that you think this could relate to the session cookies. Do the responses match how you expect the application to behave when the cookies are changed? Do you have any extensions installed? If so, as these could be altering the requests that are sent, does disabling them change the behavior? If you send the requests to Burp Comparer, what differences exist between the requests that receive a 200 response and those that receive a 302 response?

Chim | Last updated: Oct 20, 2023 11:14PM UTC

I tried all the step you mentioned above. I created 2 steps in the repeater. First Step is to load the website up to retrieve the necessary cookies and token. The first step is 95% successful. The second Step is running the payload. The 2nd step is hit and miss. Sometimes it would return 200 OK Code and most of the time is 302 Code Found. However, when I kept on refreshing it, it took about 5-7 times of refreshing it to receive a 200 OK. This is status I am looking for. I would have to kept on refreshing it until it work. Do you have any ideas why it behave like that? I want to have a consistent result so I can run every payload. If the result is not consistent, I won't know which payload is good and which one isn't. I tried to use the session rule to check for validity of the Request before processing the payload. But this only check the validity 1 time. I tried to use the Reshaper Extension to check for 302 Found and send it back into the Request with the "Send Request" option. However, this creates an infinite running loop in the background. I would have to disabled the wifi or shutdown Burp to force it stop.

Michelle, PortSwigger Agent | Last updated: Oct 23, 2023 08:09AM UTC

Hi Can you please send a screen recording of this test to support@portswigger.net, so we can see the details of the request being sent and the details contained within the 200 and 302 responses? The 302 responses will be based on how the server is configured to respond to the requests that you are sending. When you receive a 302 response, what is set in the Location header within the response?

Chim | Last updated: Oct 24, 2023 02:52AM UTC

Please see the Responses below for the 200 and 302 Status Code. When running a Payload, the website sometimes return 200 OK Code (which is correct). Most of the time it will return 302 Moved Temporarily. By looking at the location it move to, it look like it detect Burp Suite as a Bot?? Is that why it redirect to different server? Before calling the macros, I always empty the cookies Jar, clear Burp Suite internal Browser cookies, and rotate the ip address, so that the target website wouldn't detect it as Bot. Even though the result are a little better, it still return the 302 code. Do you have any suggestion? Thanks ******Please see the Response below for the correct display 200 OK Code****** HTTP/1.1 200 OK Content-Type: text/html;charset=ISO-8859-1 Connection: close Date: Tue, 24 Oct 2023 02:08:43 GMT Strict-Transport-Security: max-age=31536000; includeSubdomains; preload Content-Security-Policy: default-src 'self' *.cdn-net.com *.google-analytics.com *.brightcove.com *.brightcove.net *.akamaihd.net *.locatorsearch.com *.facebook.net Access-Control-Allow-Methods: POST, GET, OPTIONS Access-Control-Max-Age: 1000 Access-Control-Allow-Headers: x-requested-with, Content-Type, origin, authorization, accept, client-security-token Access-Control-Allow-Origin: https://ws2.solspark.com Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache,no-store, must-revalidate, max-age=3600 Pragma: no-cache X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Set-Cookie: ADRUM_BT1=R:0|i:483372|e:43; path=/; secure; Max-Age=30; Expires=Tue, 24-Oct-2023 02:09:13 GMT; Secure; Secure Set-Cookie: ADRUM_BTa=R:0|g:be7182d4-0fc8-45d4-911d-8f9a818e9f2e|n:customer1_175b8307-c15d-48e4-92d8-e61ad30f0381; path=/; secure; Max-Age=30; Expires=Tue, 24-Oct-2023 02:09:13 GMT; Secure; Secure Set-Cookie: JSESSIONID=NUD5gSY7JWwzqNHcYPNSRi9x.cha_mbdweb_p01; path=/mbd; HttpOnly; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Secure; Secure Set-Cookie: SameSite=None; path=/; secure; Max-Age=30; Expires=Tue, 24-Oct-2023 02:09:13 GMT; Secure; Secure Set-Cookie: orgIdInCookie=88474; path=null; HttpOnly; Max-Age=2592000; Expires=Thu, 23-Nov-2023 02:08:43 GMT; Secure; Secure Vary: User-Agent X-Content-Type-Options: nosniff Set-Cookie: NSC_JOlyvo2feiku1rcevlekgbdvv2ofxcQ=30dfa3db6aab7a8f98617fc1c1ec782c09bed1786937cf60f4e4e8de506b25;expires=Tue, 24-Oct-2023 03:08:43 GMT;path=/;secure;httponly Content-Length: 1067 ********This is the Response for 302 Move Temporarily********** HTTP/1.1 302 Moved Temporarily Server: rdwr Date: Tue, 24 Oct 2023 02:08:52 GMT Content-Type: text/html Connection: close Set-Cookie: __uzmc=304362263211; HttpOnly; path=/; Expires=Tue, 23-Apr-24 02:08:52 GMT ; Max-Age=15724800; SameSite=Lax Set-Cookie: __uzmd=1698113332; HttpOnly; path=/; Expires=Tue, 23-Apr-24 02:08:52 GMT ; Max-Age=15724800; SameSite=Lax Set-Cookie: __uzmf=7f6100c22555fe-7933-4e85-a2b9-7060e8138b41169811329708635254-17d8dabaa9dc9ef922; HttpOnly; path=/; Expires=Tue, 23-Apr-24 02:08:52 GMT ; Max-Age=15724800; SameSite=Lax cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Location: https://validate.perfdrive.com/64b926de080836ab9a2812de3f961c22/?ssa=d2d49880-d914-48c1-82c1-d95ba39b1ef7&ssb=00497242356&ssc=https%3A%2F%2F18607018.io%2FAccount.php%3FreqType%3DregUser%26token%3Db21111d7c8b33a36069e516717&ssi=a34bd9ca-ca2r-9afb-b1e3587a8e3c&ssk=botmanager_support@radware.com&ssm=31291166604155310227670544054423&ssn=e505c71de29823ddfd09a6ce891eb81ffb0b52-45e4-4536-908584&sso=f8219da0-405de75eff4c84b3141b22dc1567da8103ea6684e0&ssp=345619445898168481169811659736853&ssq=344399613332294913297650610387686777&ssr=MTQ5LjI4Ljk5Ljc3&sst=Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0&ssu=&ssv=&ssw=&ssx=eyJfX3V6bWYiOiI3ZjYxMDBjMjI1NTVmZS03OTMzLTRlODUtYTJiOS03MDYwZTgxMzhiNDExNjk4MTEzMjk3MDg2MzUyNTQtMTdkOGRhYmFhOWRjOWVmOTIyIn0= Content-Length: 702

Michelle, PortSwigger Agent | Last updated: Oct 24, 2023 09:06AM UTC

Hi To find out what may cause the application to behave like this, it would be best to check with the team that wrote it. For example, it could be that a user can only have a certain number of active logins, and if they try to login in more times than that, their session might be invalidated, and they may be required to log in again. The people who created the application would be able to confirm this or any other potential reasons for the behavior for you.

Chim | Last updated: Oct 24, 2023 05:56PM UTC

I was told by the Target website's team that I need to clear the cookies, caches, and history if I want to run it smoothly. It seems like Burpsuite internal Browser is still storing cookies, caches, and histories. How do clear these out because if I run a payload for more than 5 times, it will show 302 Status code.

Michelle, PortSwigger Agent | Last updated: Oct 25, 2023 10:28AM UTC

Hi When you send your payloads, which tool are you using in Burp?

Chim | Last updated: Oct 25, 2023 08:42PM UTC

I am using Intruder

Chim | Last updated: Oct 25, 2023 08:51PM UTC

This behavior is like it tried to redirect to another link like adfly and captcha. When I setup to block the redirection, it return the 302 Moved Temporarily. Do you know if we can create a script or extension to force the target website from redirecting and display the actual source link? I google online and see that people are using Tamper monkey to bypass the redirection. How do I implement this into Burpsuite?

Michelle, PortSwigger Agent | Last updated: Oct 26, 2023 10:21AM UTC