Burp Suite User Forum

Create new post

Burp Does Not Redirect

Rui | Last updated: Feb 26, 2022 05:13AM UTC

The application I am testing uses SiteMinder for SSO, and this produces a redirect of the form... <HTML><HEAD><TITLE></TITLE></HEAD><BODY onLoad="document.AUTOSUBMIT.submit();">... <FORM NAME="AUTOSUBMIT" METHOD="POST" ENCTYPE="application/x-www-form-urlencoded" ACTION="https://.../logon.cgi?...&TARGET=$SM$https%3a%2f%2f..."><INPUT TYPE="HIDDEN" NAME="SMPostPreserve" VALUE="..."><INPUT TYPE="SUBMIT" VALUE="Continue"> </FORM> </BODY> </HTML> The is no location header or 302 redirect, but I have enabled all possible redirect options (Project Options>HTTP>Redirections). But both repeater and scanner do not redirect to the logon screen.

Liam, PortSwigger Agent | Last updated: Feb 28, 2022 08:33AM UTC

Thanks for your message, Rui. Is the site publicly accessible? If so, would it be possible to provide us with test credentials? (You can email us via support@portswigger.net)

Rui | Last updated: Mar 04, 2022 04:00AM UTC

No, the application is not publicly accessible unfortunately. Is there something I can do to make this work?

Liam, PortSwigger Agent | Last updated: Mar 04, 2022 11:59AM UTC

Unfortunately, we don't currently handle this well. We have a development ticket to improve our handling of Form submission / redirections caused by body onLoad attributes. We hope to start work on this next quarter. We'll update this thread when we have made some progress.

Liam, PortSwigger Agent | Last updated: Mar 30, 2022 09:57AM UTC

We've completed the work mentioned in the thread above. Let us know if this helps.

Rui | Last updated: Oct 23, 2022 09:22PM UTC

No it does not. The following form does not automatically load (Intruder): HTTP/1.1 200 OK X-Powered-By: Servlet/4.0 X-OPNET-Transaction-Trace: a2_a1a6df5b-d56f-4e7b-bf78-45ddf3827349 Content-Type: text/html;charset=ISO-8859-1 Cache-Control: no-cache, no-store Expires: Thu, 29 Oct 1998 17:04:19 GMT X-Frame-Options: SAMEORIGIN Content-Language: en-US Connection: Close Date: Sun, 23 Oct 2022 20:59:07 GMT X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains Set-Cookie: TS3c41ca9e027=...; Path=/ Content-Length: 325 <html> <body onLoad="document.loginForm.submit()"> <form name="loginForm" method="POST" action="j_security_check" autocomplete = "off"> <input type="hidden" name="j_username" value="uid"> <input type="hidden" name="j_password" value="pwd"> </form> </body> </html>

Liam, PortSwigger Agent | Last updated: Oct 24, 2022 12:08PM UTC

Hi Rui. It looks like the work we completed was related to the Crawler (and possibly Repeater). I'll follow up with the development team and get back to you.

Liam, PortSwigger Agent | Last updated: Oct 25, 2022 10:11AM UTC

Hi Rui, is the application publicly accessible? If so, could we perform some remote testing?

Rui | Last updated: Oct 25, 2022 03:47PM UTC

While the application is publicly accessible, I do not have permission from the site owner to facilitate testing by third parties. I will confirm the crawler, but repeater does not redirect via this form either. Thanks Rui

Liam, PortSwigger Agent | Last updated: Oct 26, 2022 07:15AM UTC

Thanks for confirming, Rui. We'll follow up with the development team and let you know if it's something we can help with.

Liam, PortSwigger Agent | Last updated: Nov 15, 2022 01:11PM UTC

To provide an update - we've added feature requests for Intruder and Repeater to our product triage boards.

Rui | Last updated: Jan 23, 2023 10:02PM UTC

Any progress on this issue? R

Liam, PortSwigger Agent | Last updated: Jan 24, 2023 03:24PM UTC

Hi Rui. We've discussed this internally, and processing JavaScript is not something we would do natively in Burp Suite. The team did say that you could perform this task by writing an extension. Please let us know if you need any further assistance.

Rui | Last updated: Jan 27, 2023 04:21PM UTC

Sorry, I do not understand your response, and it does not track with previous responses on this thread, where it is indicated that Portswigger is / has been working on this issue. The problem is not JavaScript, it is an *HTML* request to automatically submit a form on page load (https://www.w3schools.com/jsref/event_onload.asp). At this point there is no JavaScript involved. This should be a standard action during crawling, scanning, etc. <body onLoad="document.loginForm.submit()"> Besides, the redirect options at Project Options>HTTP>Redirections specifically indicate JavaScript redirects are handled (although this is an aside and I do not think relevant to the main issue). I do hope you can revisit this as it is now impacting two of my projects. Thanks Rui

Liam, PortSwigger Agent | Last updated: Jan 30, 2023 04:19PM UTC

Hi Rui. The development ticket created off the back of your forum post was closed following further investigation by our Burp Pro development team. I've asked for further feedback and clarification regarding the Project option you referenced.

Liam, PortSwigger Agent | Last updated: Jan 31, 2023 12:05PM UTC

Hi Rui. We assessed the code for the checkbox that you mentioned. It does a basic parse and search i.e., not executing javascript, but looking for “hard-coded” javascript. It requires <script> tags and location; e.g. window.location.href, window.location.replace. Your example (onLoad="document.AUTOSUBMIT.submit();">...) requires JavaScript processing, which our team does not think we can facilitate in native Burp. They did suggest that you could create an extension to perform this task. Please let us know if you need any further assistance.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.