Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Removing headers: unclear documentation and feature not working #89

Closed
Pyvonix opened this issue Aug 23, 2023 · 6 comments
Closed

Removing headers: unclear documentation and feature not working #89

Pyvonix opened this issue Aug 23, 2023 · 6 comments
Labels
bug Something isn't working documentation Improvements or additions to documentation

Comments

@Pyvonix
Copy link

Pyvonix commented Aug 23, 2023
edited
Loading

Hi team,

First of all, thanks for the great work on BCheck! It's an excellent feature.
I really appreciate it, that the reason why I want to contribute by reporting some issues.

Use case: create a BCheck rule that will request admin endpoints without authentication information (headers: cookie & authorization)

I went to the documentation sub-section of send request.

send request [called request_name]:
  [..]
  removing headers:
    "name_of_header1":,
    "name_of_header2":"

So at this point, I didn't understand why I had to specify the value of the headers I want deleted. But when I validated my rule it gave me an error on the position of the character :

Then, I looked at the description column in front of the row removing headers: in the table above:

Removes the specified header(s) from the request. You can list multiple header names

So, this explains why I got a validation error of the rule: compared to the documentation's example (showed above). I had to give a list of headers, not a dictionary.

Improve/fix the documentation with:

send request [called request_name]:
  [..]
  removing headers:
    "name_of_header1",
    "name_of_header2"
  • Removing specific headers behavior doesn't seem to work:

Now my rule is valid, let's move on the implementation, here is the minimal reproducible example (MRE):

metadata:
    language: v1-beta
    name: "Remove AuthZ headers"
    description: "Remove Cookie and Authorization headers"
    author: "someone"
    tags: "active", "unauthenticated"

run for each:
    potential_path =
        "/admin",
        "/admin-panel"

given host then
    send request called check:
        method: "GET"
        path: {potential_path}
        removing headers:
            "Cookie",
            "Authorization"

    if {check.response.status_code} is "200" then
        report issue:
            severity: medium
            confidence: firm
            detail: "rule detail"
            remediation: "rule remediation"
    end if

While launching the scan, the requests always contain headers that are supposed to be removed: Cookie or Authorization.
So, the rule therefore matches where it shouldn't.

It is a known issue that removing something with a rule (headers there) does not work?
@A-J-C
Copy link
Collaborator

A-J-C commented Aug 29, 2023

Hi @Pyvonix thanks for this, it is really useful. We'll get the documentation fixed ASAP and look into the header issue.

@A-J-C A-J-C added bug Something isn't working documentation Improvements or additions to documentation labels Aug 29, 2023
@Michelle-PortSwigger
Copy link
Contributor

Hi @Pyvonix

We've been looking into the Header issue and replicated the problem with the Cookie header but not the Authorization header.

The BCheck is removing the Cookie header, but it is then being added back in from Burp's cookie jar due to the Session handling rules (which are applied after the BCheck rules). When testing, if I disabled the default session handling rule, the Cookie header was correctly removed. I've raised this with the team so we can review the behavior.

In my tests, the Authorization header was being removed successfully. Do you have any other session handling rules activated or any other extensions installed that could cause a difference in our test environments?

@Pyvonix
Copy link
Author

Pyvonix commented Aug 31, 2023
edited
Loading

@Michelle-PortSwigger Yes, you totally right. I have an extension that automatically adds the Authorization header.

So, here is my question: After the BCheck generates the request, is it correct that extensions are applied there?

Could we imagine so kind of parameter (e.g. ignore_extensions) to bypass/skip active extensions to prevent any side effect on requests sent by BCheck?

ignore_extensions [true | false] (default: false)

@Michelle-PortSwigger
Copy link
Contributor

Changes made by both session handling rules and extensions will be applied after the BCheck.

This is an interesting use case so we'll chat through the options here. There are potential scenarios where some extensions may not be modifying the request itself, so you might not want to disable all of them.

@Pyvonix
Copy link
Author

Pyvonix commented Sep 2, 2023
edited
Loading

I'd be interested to know what you'd decide. It's look like quite challenging topic!

@A-J-C
Copy link
Collaborator

A-J-C commented Sep 4, 2023

@Pyvonix docs have been fixed, thank you for reporting.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working documentation Improvements or additions to documentation
Milestone
No milestone
Development

No branches or pull requests
3 participants
@A-J-C @Pyvonix @Michelle-PortSwigger