Burp Suite User Forum

Login to post

302 Redirect Not Picking Up Cookies

An& | Last updated: Sep 26, 2019 05:18PM UTC

Hello, I am using burp v1.7.31. This is about redirection 302 response code in burp. I am not getting "Follow Redirection" option in burp repeater while testing a particular application. The repeater options are set as "Never" in redirection and also 'process cookies' option is set . I have checked another web application and it does show "Follow Redirection". I have diffed the hex bytes response of both the server responses and i see below Hex bytes of server response where i am not getting "Follow Redirection" 48 54 54 50 2f 31 2e 31 20 33 30 32 20 46 6f 75 6e 64 0a 44 Hex bytes of server response where i am getting "Follow Redirection" 48 54 54 50 2f 31 2e 31 20 33 30 32 20 46 6f 75 6e 64 0d 0a 44 As once can see, the LF CR bytes are probably making the difference here. First response only has 0A where as response from second application server has both 0D and 0A. Probably this issue is causing me to process cookies in the 302 response (but this is whole another story). let me know my understanding is wrong here. I did a workaround by using fiddler as upstream proxy. Fiddler adds both characters 0D and 0A while offloading SSL traffic and adds those characters. It works after workaround.

Mike, PortSwigger Agent | Last updated: Sep 30, 2019 02:36PM UTC

Hi, have you tried reproducing this issue in the latest version of Burp Suite? (2.1.04)

Burp User | Last updated: Oct 01, 2019 03:45PM UTC

Hello Mike, Yes, I just reproduced it on v2.1.04 and the issue remains same.

Liam, PortSwigger Agent | Last updated: Oct 03, 2019 07:26AM UTC

Could we ask which browser you are using? Does the browser follow the redirect? Could you provide us with the full responses? Is the application public facing?

Liam, PortSwigger Agent | Last updated: Oct 03, 2019 01:12PM UTC

We've added a ticket to our development backlog to "Make header utils support non-strict line endings". Unfortunately, we can't provide an ETA.

You need to Log in to post a reply. Or register here, for free.