Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

How do I avoid referer header

Takeshi | Last updated: Nov 25, 2015 02:34AM UTC

I am using burp to check the security level of our web application. But my application usually checking referer header. If this header is changed, session will be time out. So, how do I test my web application except for referer header? I have already tried some check box removed. ex) "HTTP header" from Attack Insertion Point and "Header manipulation" from Active scanning Areas. I appreciate your cooperation.

PortSwigger Agent | Last updated: Nov 25, 2015 09:27AM UTC

Please can you provide an example of a request where Burp Scanner modifies the value of the Referer header even though you have disabled header insertion points and header manipulation attacks? Thanks.

Burp User | Last updated: Nov 27, 2015 01:55AM UTC

Thank you for your reply. I checked my scan log. I am sorry that my setting was collect to avoid refer header. There was another cause. Just FYI, if you remove the check box of "HTTP header" from Attack Insertion Point, if you valid the check box of "Header manipulation" from Active scanning Areas, scanner will send a request which removed referer header.

PortSwigger Agent | Last updated: Nov 27, 2015 08:44AM UTC

Thanks. Yes, what you've described is intended behavior. Placing an insertion point into HTTP headers means that input-based payloads (e.g. for XSS and SQLi) will be placed into that insertion point. The check for Referer-dependent response is not insertion point-based, and involves removing the Referer header regardless of any configured insertion points.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.