Burp Suite User Forum

Create new post

Scheme-relative URL are treated as root-relative ones

Nicolas | Last updated: Sep 15, 2015 11:54AM UTC

Tested on v1.6.26 / Linux / Oracle 1.8.0_45-b14 In Repeater (at least), a header like "Location: //nicob.net" is treated as a redirection to "//nicob.net" on the same host. However, browsers will redirect to http(s)://nicob.net/, depending on the scheme used by the redirect page (cf http://tools.ietf.org/html/rfc3986#section-4.2). This can lead to Open Redirect false-negatives when "Follow redirections" is set to something else than "Never".

PortSwigger Agent | Last updated: Sep 15, 2015 12:37PM UTC

Thanks for this. We'll look into fixing the behavior of Repeater etc. to correctly identify the redirection target in cases like this. I don't believe this problem will lead to false negatives in Burp Scanner's open redirection check, as that uses different logic. It might affect some scan checks that attempt to follow redirections, if an application returns redirections to schema-relative URLs of its own doing (not based on user input).

Burp User | Last updated: Sep 15, 2015 12:50PM UTC

Agreed. Rephrasing myself: false-negatives may occur during manual testing using Repeater with a non-default option for "Follow redirects"

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.