Burp Suite User Forum

Login to post

Looking for the extension that adds the full URL in the request line

Martin | Last updated: Feb 13, 2023 06:39PM UTC

Hello, I noticed that during a scan, one of the loaded extensions is putting the full URL in the request line. For example, the original request has this request line: "GET /robots.txt HTTP/2" in a request to https://www.orf.com But in the "Flow" list of all requests, I noticed many requests from an extension in this form: "GET http://www.orf.com//robots.txt HTTP/1.1" Note the change in protocols, the change of the HTTP-version, and the added forward slash. Which extension could be doing that? I just used the default "Audit coverage - maximum" scan configuration, and the extensions are all set to their respective default settings. Here's the list of the loaded extensions (I know it's a lot, that's why I'm asking for help) Reflector, Flow, Retire.js, Reflected File Download Checker, NGINX Alias Traversal, Additional CSRF Checks, Reflected Parameters, Java Deserialization Scanner, Request Randomizer, Log4Shell Scanner, Software Vulnerability Scanner, J2EEScan, Web Cache Deception Scanner, AWS Security Checks, Error Message Checks, AES Payloads, SSL Scanner, Additional Scanner Checks, CSRF Scanner, JSON Web Token Attacker, JS Miner, Software Version Reporter, WordPress Scanner, SAML Raider, Same Origin Method Execution, Active Scan++, Param Miner, HTTP Request Smuggler, Backslash Powered Scanner, 403 Bypasser, JS Link Finder, Bypass WAF, Collaborator Everywhere, GraphQL Raider, Freddy, Deserialization Bug Finder, CMS Scanner, NoSQLi Scanner, CORS*, Additional CORS Checks, WAFDetect, Command Injection Attacker, OAUTH Scan, PHP Object Injection Check, Headers Analyzer, HTML5 Auditor, Cookie Decrypter, CSP Auditor, Attack Surface Detector, Asset Discovery, IIS Tilde Enumeration Scanner, Anonymous Cloud, Configuration and Subdomain Takeover Scanner, CSP-Bypass, Detect Dynamic JS, Broken Link Hijacking, Cypher Injection Scanner, HTTPoxy Scanner, Sensitive Discoverer, Cloud Storage Tester, Session Auth, SRI Check, PDF Metadata, GWT Insertion Points, Image Location and Privacy Scanner, Burp-hash, Image Size Issues, Distribute Damage, iRule Detector, ParrotNG, Session Tracking Checks, Identity Crisis, Cryptojacking Mine Sweeper, RouteVulScan, Quoted-Printable Parser

Martin | Last updated: Feb 13, 2023 06:41PM UTC

Update: the added forward-slash was only existing in a few requests, that's probably an issue with some payload list.

Hannah, PortSwigger Agent | Last updated: Feb 14, 2023 10:47AM UTC

Hi It's likely an extension that's providing a scan check that is making these additional requests. Are you sure that this is not an intended request by the extension to test for something specific? In the "Details" tab of your loaded extension, there will be a list of the handlers that are registered. You could try enabling just the extensions that register "Scanner checks" and see if you still observe these requests. That should help narrow down the extension that is making these requests.

Martin | Last updated: Feb 14, 2023 02:50PM UTC

Hello thanks for your reply. I noticed that this doesn't happen when I scan individual requests. But when I select two requests from the proxy history and send them to scanner, this happens. Could this have to do with the Burp Scan configuration?

Martin | Last updated: Feb 14, 2023 02:53PM UTC

>Are you sure that this is not an intended request by the extension to test for something specific? And I'm pretty certain it's not intended, because all requests have that issue, and due to it none of them gets through the Squid proxy and none of them reach the actual web application I'm testing. This happens when I send two different requests from the proxy history to the scanner. The issue starts immediately. When I scan the same two requests individually with the same settings at the same time, this does not happen.

Hannah, PortSwigger Agent | Last updated: Feb 17, 2023 10:11AM UTC

Hi Martin Did you try disabling all extensions that don't register a scanner check, to try and narrow down the extension that is making these requests? To quickly bulk unload extensions, you can select multiple, right-click and select either "Unload" or "Remove".

Martin | Last updated: Feb 18, 2023 06:20PM UTC

Yeah Hannah, I was writing support in the hopes I don't have to go through all 74 extensions. Do you have another suggestion, pleasae?

Hannah, PortSwigger Agent | Last updated: Feb 20, 2023 04:16PM UTC

Hi Martin Unless an extension has modified the traffic in a recognizable/distinctive way, then there is no way to identify which extension has generated the traffic other than trial and error. You can save your user options before unloading extensions so that you can quickly revert to your previous settings. You can do this by going to "Burp > User settings > Save user settings". You can then load these back in at any point using the "Load user settings" in the same place. Using the bulk unload, you can quickly unload half your extensions, see if any of the requests are coming from the remaining extensions, and continue narrowing down which extension may be triggering these requests. You can also bulk load extensions, which should make this process faster than it was previously. I'm sorry we're not able to be of more assistance with this.

Martin | Last updated: Mar 08, 2023 01:21AM UTC

Thanks for the tip, I appreciate it.

You need to Log in to post a reply. Or register here, for free.