Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

302 Redirect Not Picking Up Cookies

An& Sep 26, 2019 05:18PM UTC

Hello, I am using burp v1.7.31. This is about redirection 302 response code in burp. I am not getting "Follow Redirection" option in burp repeater while testing a particular application. The repeater options are set as "Never" in redirection and also 'process cookies' option is set . I have checked another web application and it does show "Follow Redirection". I have diffed the hex bytes response of both the server responses and i see below

Hex bytes of server response where i am not getting "Follow Redirection"
48 54 54 50 2f 31 2e 31 20 33 30 32 20 46 6f 75
6e 64 0a 44

Hex bytes of server response where i am getting "Follow Redirection"
48 54 54 50 2f 31 2e 31 20 33 30 32 20 46 6f 75
6e 64 0d 0a 44

As once can see, the LF CR bytes are probably making the difference here. First response only has 0A where as response from second application server has both 0D and 0A.

Probably this issue is causing me to process cookies in the 302 response (but this is whole another story). let me know my understanding is wrong here.

I did a workaround by using fiddler as upstream proxy. Fiddler adds both characters 0D and 0A while offloading SSL traffic and adds those characters. It works after workaround.

Mike Eaton Sep 30, 2019 02:36PM UTC Support Center agent

Hi, have you tried reproducing this issue in the latest version of Burp Suite? (2.1.04)

An& Oct 01, 2019 03:45PM UTC
Hello Mike, Yes, I just reproduced it on v2.1.04 and the issue remains same.

Liam Tai-Hogan Oct 03, 2019 09:29AM UTC Support Center agent

Could we ask which browser you are using? Does the browser follow the redirect?

Could you provide us with the full responses?

Is the application public facing?

Liam Tai-Hogan Oct 08, 2019 11:04AM UTC Support Center agent

We’ve added a ticket to our development backlog to “Make header utils support non-strict line endings”. Unfortunately, we can’t provide an ETA.

Post Your public answer

Your name
Your email address