Burp Suite User Forum

Create new post

Detect when TRACE response has additional headers we didn't send

floyd | Last updated: Mar 08, 2016 02:45PM UTC

I nearly missed it as Burp only showed "HTTP Trace method is enabled" as informational, but actually this was pretty interesting: Request: TRACE / HTTP/1.1 Host: example.com Cookie: 6bwxjeof12 Connection: close And Response: HTTP/1.1 200 OK Date: Tue, 08 Mar 2016 08:57:34 GMT Connection: close Content-Type: message/http Content-Length: 207 TRACE / HTTP/1.1 Host: example.com Cookie: 6bwxjeof12; BIGipServerXXXXXXXXXX=XXXXX Connection: close X-Forwarded-For: EXAMPLE_IP, EXAMPLE_IP ANOTHER_CUSTOM_HTTP_HEADER: VALUE As you see the proxy server added a couple of cookies and headers and forwarded the request to the application server, however, as the application server saw it's a trace message it sent the response back which included all the internal details how HTTP headers are added and forwarded by the proxy Maybe burp should at least set the severity to low when additional headers pop up that we didn't sent in the request

PortSwigger Agent | Last updated: Mar 10, 2016 10:43AM UTC

Thanks for this. We'll look into flagging up the disclosure of the additional headers when this occurs.

PortSwigger Agent | Last updated: Mar 14, 2016 12:07PM UTC

We've reflected on this and have concluded: (a) It is very common to see some additional content added to TRACE requests, by reverse proxies and the like. (b) This stuff is often completely banal so wouldn't warrant elevating the issue severity. (c) Any interesting stuff is typically custom and impossible for Burp to fingerprint, so it isn't feasible to selectively elevate the severity based on the added content. (d) All we could feasibly do is add some highlighting to the reported reponse showing the added content, but we aren't convinced this adds any real value, since the user can easily spot the added content anyway. We'd be happy to hear other opinions if people disagree.

Burp User | Last updated: Feb 24, 2017 10:25AM UTC

Ok, that's fine for me

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.