Burp Suite User Forum

Login to post

Burp Does Not Redirect

Rui | Last updated: Feb 26, 2022 05:13AM UTC

The application I am testing uses SiteMinder for SSO, and this produces a redirect of the form... <HTML><HEAD><TITLE></TITLE></HEAD><BODY onLoad="document.AUTOSUBMIT.submit();">... <FORM NAME="AUTOSUBMIT" METHOD="POST" ENCTYPE="application/x-www-form-urlencoded" ACTION="https://.../logon.cgi?...&TARGET=$SM$https%3a%2f%2f..."><INPUT TYPE="HIDDEN" NAME="SMPostPreserve" VALUE="..."><INPUT TYPE="SUBMIT" VALUE="Continue"> </FORM> </BODY> </HTML> The is no location header or 302 redirect, but I have enabled all possible redirect options (Project Options>HTTP>Redirections). But both repeater and scanner do not redirect to the logon screen.

Liam, PortSwigger Agent | Last updated: Feb 28, 2022 08:33AM UTC

Thanks for your message, Rui. Is the site publicly accessible? If so, would it be possible to provide us with test credentials? (You can email us via support@portswigger.net)

Rui | Last updated: Mar 04, 2022 04:00AM UTC

No, the application is not publicly accessible unfortunately. Is there something I can do to make this work?

Liam, PortSwigger Agent | Last updated: Mar 04, 2022 11:59AM UTC

Unfortunately, we don't currently handle this well. We have a development ticket to improve our handling of Form submission / redirections caused by body onLoad attributes. We hope to start work on this next quarter. We'll update this thread when we have made some progress.

Liam, PortSwigger Agent | Last updated: Mar 30, 2022 09:57AM UTC

We've completed the work mentioned in the thread above. Let us know if this helps.

Rui | Last updated: Oct 23, 2022 09:22PM UTC

No it does not. The following form does not automatically load (Intruder): HTTP/1.1 200 OK X-Powered-By: Servlet/4.0 X-OPNET-Transaction-Trace: a2_a1a6df5b-d56f-4e7b-bf78-45ddf3827349 Content-Type: text/html;charset=ISO-8859-1 Cache-Control: no-cache, no-store Expires: Thu, 29 Oct 1998 17:04:19 GMT X-Frame-Options: SAMEORIGIN Content-Language: en-US Connection: Close Date: Sun, 23 Oct 2022 20:59:07 GMT X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains Set-Cookie: TS3c41ca9e027=...; Path=/ Content-Length: 325 <html> <body onLoad="document.loginForm.submit()"> <form name="loginForm" method="POST" action="j_security_check" autocomplete = "off"> <input type="hidden" name="j_username" value="uid"> <input type="hidden" name="j_password" value="pwd"> </form> </body> </html>

Liam, PortSwigger Agent | Last updated: Oct 24, 2022 12:08PM UTC

Hi Rui. It looks like the work we completed was related to the Crawler (and possibly Repeater). I'll follow up with the development team and get back to you.

Liam, PortSwigger Agent | Last updated: Oct 25, 2022 10:11AM UTC

Hi Rui, is the application publicly accessible? If so, could we perform some remote testing?

Rui | Last updated: Oct 25, 2022 03:47PM UTC

While the application is publicly accessible, I do not have permission from the site owner to facilitate testing by third parties. I will confirm the crawler, but repeater does not redirect via this form either. Thanks Rui

Liam, PortSwigger Agent | Last updated: Oct 26, 2022 07:15AM UTC

Thanks for confirming, Rui. We'll follow up with the development team and let you know if it's something we can help with.

Liam, PortSwigger Agent | Last updated: Nov 15, 2022 01:11PM UTC

To provide an update - we've added feature requests for Intruder and Repeater to our product triage boards.

You need to Log in to post a reply. Or register here, for free.