Burp Suite User Forum

Login to post

Chromium header resulting in server rejecting requests

floyd | Last updated: Feb 15, 2021 12:06PM UTC

Hi there, Burp Pro version v2021.2 A commercial website is currently preventing access (redirecting to a HTTP 400 error) when using the Burp built-in Chromium browser. The reasons is the following HTTP header sent by the Chromium browser: sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="88" Interesting is that when I remove the first semicolon, it works. So I guess it would be better if Chromium would act like Chrome. It seems like Chrome would identify itself differently, see https://stackoverflow.com/questions/65565396/why-is-chrome-sending-sec-ch-ua-and-sec-ch-ua-mobile-request-headers-although-e

Uthman, PortSwigger Agent | Last updated: Feb 15, 2021 01:27PM UTC

Hi Floyd, Is this added as a request header only to the URL you are testing? Can you please share the URL with support@portswigger.net so that we can replicate your issue and investigate further?

floyd | Last updated: Feb 15, 2021 09:34PM UTC

Hi Uthman, No, every URL you visit. Open the built-in browser, browse anywhere, check Burp. No need to ask me for a replicate. Regarding the server-response you just have to take my word, but it's also kind of obvious that as soon as you start building a browser that doesn't look like Chrome or Firefox, there will be people who fingerprint it and reject your request because you don't look like the big players. cheers, floyd

Uthman, PortSwigger Agent | Last updated: Feb 16, 2021 01:58PM UTC

Hi Floyd, I have received some feedback from our development team. Please review it below: We have had a look - looks like this is standard behaviour for Chromium, but not yet for Chrome, although it will become so in the future. - https://www.chromestatus.com/feature/5995832180473856 We are going to look into adjusting the headers we send from Chromium to make them look more like Chrome. Does the website you are testing also reject requests if you try to access it from the latest build of Chromium? - https://www.chromium.org/getting-involved/download-chromium The semicolon behavior is interesting - different versions of Chromium put it in a different place, which is part of Google's efforts to stop browser fingerprinting. The latest build uses sec-ch-ua: " Not A;Brand" etc. Our development team has raised an internal ticket to investigate this further and we will update this thread with any further information.

floyd | Last updated: Feb 18, 2021 12:55PM UTC

The problem is that financial institutions will probably not care about Chromium and only support Chrome probably. With the latest Chromium it works and I can access the page. Interesting. Btw. I forgot to mention there is a also a WAF involved. I guess for Burp it's probably best if you track what Chrome is currently doing. I fixed my problem with a simple match/replace rule, but wanted to let you know anyway.

Uthman, PortSwigger Agent | Last updated: Feb 18, 2021 01:15PM UTC

Thanks a lot for the feedback!

You need to Log in to post a reply. Or register here, for free.