Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Requests made with python 3 requests missing body

Nathan | Last updated: Oct 09, 2018 05:31PM UTC

Refer to issue https://github.com/requests/requests/issues/4817

PortSwigger Agent | Last updated: Oct 10, 2018 07:13AM UTC

Thanks for letting us know about this. I just tried the same and Burp correctly showed the request body. "Screenshot":https://imgur.com/a/aK7v5XN This is Python 3.6.6 with Requests 2.19.1 on Windows 10. If you could explain a bit more about what you've done and you Python, OS and Requests version, that would help us reproduce this.

Burp User | Last updated: Oct 15, 2018 05:36PM UTC

I am on burp v1.7.36 build 56 but I have tried multiple versions. I am running ubuntu 18.04, python 3.6.6, requests 2.19.1. I have tried openjdk8/10, oracle jdk8 for running burp all showed the same error. I am setting the proxy using export https_proxy=http://127.0.0.1:8080 I am only seeing this on http requests that, and put and post work fine. everything else does not send the body. libssl-dev is already the newest version (1.1.0g-2ubuntu4.1). I don't see the issue in python2.7 but in 2.7 python seems to make only one connection and send the entire stream and in python 3.6.6 it is sending the body separately. The request works as expected on zap and postman. Screenshot of the issue. https://imgur.com/a/mGVYoBL After a log hang I get a ConnectionResetError: [Errno 104] Connection reset by peer During handling of the above exception, another exception occurred: ProtocolError: ("Connection broken: ConnectionResetError(104, 'Connection reset by peer')", ConnectionResetError(104, 'Connection reset by peer')) During handling of the above exception, another exception occurred: ChunkedEncodingError: ("Connection broken: ConnectionResetError(104, 'Connection reset by peer')", ConnectionResetError(104, 'Connection reset by peer'))

PortSwigger Agent | Last updated: Oct 16, 2018 08:09AM UTC

Hi Nathan, Thanks for providing the more detailed debug information. I have now been able to reproduce the issue and identify the problem. You are absolutely right, it's related to requests in Python 3 sending the headers and body separately. The Burp HTTP stack is quite old and contains a number of workarounds for buggy HTTP implementations that are now rare. One of these workarounds was interfering negatively with that particular PATCH request. Now we are aware of this we should be able to code a fix relatively easily and this will be in a future Burp 2 beta. It's unlikely we'll backport the fix to Burp 1. We'll let you know when we make progress. Please let us know if you need any further assistance.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.