Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Burp scan crawler cannot detect or redirect a 307 status

Vlad | Last updated: Apr 19, 2021 11:36AM UTC

I have a page: example.com . The login page is https://example.com/login After login it goes to http://example.com/my-details with a 307 internal redirect status and after that to https://example.com/my-details which is the correct destination. This is the flow if I do it manually in firefox or burp embedded browser. 1. https://example.com/login -> status code: 302 2. http://example.come/my-details -> status code: 307 Internal Redirect 3. https://example.com/my-details -> status code: 200 I. If I do it with burp proxy, only the https://example.com/login and https://example.com/my-details are intercepted and all works ok. Nowhere can I see the 307 Internal Redirect that I see when I manually test. 1. https://example.com/login -> status code: 302 2. https://example.com/my-details -> status code: 200 II. If I do a burp scan, only with crawl for https://example.com when it reaches the login form, it passes and goes to http://example.com/my-details and gives status code -1, it stops there and moves forward to other requests. 1. https://example.com/login -> status code: 302 2. http://example.come/my-details -> status code: -1

Vlad | Last updated: Apr 19, 2021 11:39AM UTC

Also, if i send the login request to Repeater it takes me to http://example.com/my-details, but the response for this request is empty.

Michelle, PortSwigger Agent | Last updated: Apr 20, 2021 09:08AM UTC

Thanks for your message. To help us understand your setup better could you email some screenshots of what you are seeing to support@portswigger.net, please? In the first test, when performing the login manually using the embedded browser are all three requests shown in the Proxy History tab? What steps do you take when performing the second test where you do not see the 307?

Alexandros | Last updated: Mar 29, 2022 01:51PM UTC

Proxy, Repeater work fine for me but I get the same behavior as mentioned above from intruder. 2 redirections successful , when it reaches 307 it stops and under status it reports 200.

Michelle, PortSwigger Agent | Last updated: Mar 29, 2022 02:34PM UTC

Thanks for getting in touch. Can you email some more details of your Intruder attack setup to support@portswigger.net so we can take a closer look for you, please? It would be good to understand the sequence of the requests and redirects and the responses you are seeing in the Intruder results window. Can you also please confirm which version of Burp Suite you are using?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.