Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Bug in IRequestInfo.getUrl()

Nadeem | Last updated: May 14, 2015 01:36AM UTC

Hello, There is a bug in IRequestInfo.getUrl() that is related to how the hostname is retrieved. Currently getUrl() uses the hostname specified in the target options instead of the Host header in the HTTP request. However, what if the user specified a different hostname with the same target? Plugins would not be able to correctly report the affected URL using the IRequestInfo.getUrl() method if there was a discrepancy between the Host header and the target options. This could lead to confusion. Instead, this interface should return the URL containing the hostname that's specified in the Host header.

PortSwigger Agent | Last updated: May 14, 2015 07:49AM UTC

We disagree. The request gets sent to the target host that was specified by the user, and that is the most appropriate host to use in a URL representation of the request. If the user has created a mismatch between the target host and the request Host header, then Burp will continue to reflect the host to which the request was actually sent. There are various attacks based on Host header manipulation, and you can sometimes use attack payloads in this location. It would be very confusing if those payloads appeared in the host portion of the URL returned from getUrl(). It's a rare situation when the user decides to do this. If extensions want to handle this particular edge case one way or another then they can choose to use the host value from the URL or from the Host header, as they require.

Burp User | Last updated: May 16, 2015 09:41PM UTC

I see your point, However, maybe we can add an extra method to the IRequestInfo interface like getUrlFromHostHeader() that does what I'm asking? I've written a few private plugins where I find myself adjusting the URL. It would be nice if this were provided by the framework.

PortSwigger Agent | Last updated: May 18, 2015 07:58AM UTC

Fair enough. It should be fairly easy for an extension to do this itself via the existing helper methods - you can get Burp to parse out all the headers from the request, and find the Host header, and build a new URL using that.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.