Burp Suite User Forum

Create new post

Extension is not following redirects.

Ahmed | Last updated: Dec 04, 2021 12:15PM UTC

Hello Team, Hope you guys are doing well. I 'm currently writing an extension for my burp suite but i 'm facing an issue related to following redirects properly in extension code. I 'm using Jython as development, and developing the extension in python. I have used a simple makeHTTPRequest from Extender API. It doesn't properly follows the redirects if one is there. Example: I have performed a request to URL which then returns a 301 and then 200 OK But my extension is only detecting/returning the 301 and not returning the final 200 OK response page. How do i achieve this? Your help is really appreciated. - Ahmed

Hannah, PortSwigger Agent | Last updated: Dec 06, 2021 09:23AM UTC

Hi Ahmed Following redirects automatically through use of the Extender API isn't supported. You would need to create this behavior yourself. There may be an existing extension that contains the functionality you are trying to implement. You can find the source code for all BApp Store extensions here: https://github.com/PortSwigger

Ahmed | Last updated: Dec 08, 2021 06:37AM UTC

Hi Hannah, Thanks for the response. I have manage to implement it.

gary.reilly | Last updated: Jun 22, 2023 02:23PM UTC

To properly follow redirects in your Burp Suite extension code, you can use the URL and HttpURLConnection classes available in Jython to manually handle the redirection. Here's an example of how you can modify your code to follow redirects: from java.net import URL from java.net import HttpURLConnection def makeHTTPRequest(url): # Create a URL object urlObj = URL(url) # Open a connection to the URL connection = urlObj.openConnection() # Set the follow redirects option to true connection.setInstanceFollowRedirects(True) # Get the response code responseCode = connection.getResponseCode() # Check if the response code is a redirect if responseCode in [HttpURLConnection.HTTP_MOVED_PERM, HttpURLConnection.HTTP_MOVED_TEMP, HttpURLConnection.HTTP_SEE_OTHER]: # Get the new location from the "Location" header redirectURL = connection.getHeaderField("Location") # Make a recursive call to follow the redirect return makeHTTPRequest(redirectURL) else: # Process the response # Here, you can read the response body or perform any other operations responseBody = connection.getInputStream().read() return responseBody # Usage response = makeHTTPRequest("http://example.com") print(response) In this modified code, the setInstanceFollowRedirects(True) method is called to enable automatic redirection. If the response code indicates a redirect (e.g., 301, 302, 303), the Location header is extracted to obtain the new URL. Then, a recursive call is made to the makeHTTPRequest function with the new URL, allowing it to follow the redirect chain until a non-redirect response is received. By using this approach, your extension should be able to properly follow redirects and retrieve the final response page.

Hannah, PortSwigger Agent | Last updated: Jun 28, 2023 09:43AM UTC

Just to mention, whilst you can use Java's networking libraries in your extension, we would not recommend this. By using Burp's networking libraries, any network-level configuration settings will be applied to your outgoing requests. For example, if you had an upstream proxy configured or other authentication options. We have an ongoing feature request to add redirect handling to the Montoya API.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.