Burp Suite User Forum

Login to post

Blank lines in Requests

Alvaro | Last updated: Nov 15, 2020 12:54PM UTC

There are exercises, for example "URL-based access control can be circumvented" in the "Access Control" lab, where you add a custom header to your requests to complete them. The requests themselves when passed through Burp show 2 blank lines at the end. If I add a custom header to one of those lines leaving only 1 blank line, it doesn't work. If I add the custom header before the blank lines and keep 2 blank lines, it works. I am curious, why do these matter when they are simply blank and at the very end?

Ben, PortSwigger Agent | Last updated: Nov 16, 2020 03:02PM UTC

Hi, The final line of an HTTP request needs to be \r\n. In practicality, this equates to two carriage returns, due to the carriage return on the previous line. An example: Get /mysite/index.html HTTP/1.1\r\n Host: 10.101.101.10\r\n Accept: */*\r\n \r\n

You need to Log in to post a reply. Or register here, for free.