Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

302 Redirect Not Picking Up Cookies

An& | Last updated: Sep 26, 2019 05:18PM UTC

Hello, I am using burp v1.7.31. This is about redirection 302 response code in burp. I am not getting "Follow Redirection" option in burp repeater while testing a particular application. The repeater options are set as "Never" in redirection and also 'process cookies' option is set . I have checked another web application and it does show "Follow Redirection". I have diffed the hex bytes response of both the server responses and i see below Hex bytes of server response where i am not getting "Follow Redirection" 48 54 54 50 2f 31 2e 31 20 33 30 32 20 46 6f 75 6e 64 0a 44 Hex bytes of server response where i am getting "Follow Redirection" 48 54 54 50 2f 31 2e 31 20 33 30 32 20 46 6f 75 6e 64 0d 0a 44 As once can see, the LF CR bytes are probably making the difference here. First response only has 0A where as response from second application server has both 0D and 0A. Probably this issue is causing me to process cookies in the 302 response (but this is whole another story). let me know my understanding is wrong here. I did a workaround by using fiddler as upstream proxy. Fiddler adds both characters 0D and 0A while offloading SSL traffic and adds those characters. It works after workaround.

Mike, PortSwigger Agent | Last updated: Sep 30, 2019 02:36PM UTC

Hi, have you tried reproducing this issue in the latest version of Burp Suite? (2.1.04)

Burp User | Last updated: Oct 01, 2019 03:45PM UTC

Hello Mike, Yes, I just reproduced it on v2.1.04 and the issue remains same.

Liam, PortSwigger Agent | Last updated: Oct 03, 2019 07:26AM UTC

Could we ask which browser you are using? Does the browser follow the redirect? Could you provide us with the full responses? Is the application public facing?

Liam, PortSwigger Agent | Last updated: Oct 03, 2019 01:12PM UTC