Content-Length header is always updated

Question

Content-Length header is always updated

tiyeuse opened this issue 4 years ago · 2 comments

I noticed PwnFox extension always update the Content-Length header in BurpSuite Pro v2020.9.2 (not tested on other versions).

Steps to reproduce:

Install the last version of PwnFox extension in Burp (v1.0.2)
Send any request in Burp repeater tab, change the method to POST, add arbitrary request body and set Content-Length header value to high value, for example 9999999:

POST / HTTP/1.1
Host: www.google.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 9999999

12345

Disable Update Content-Length option in the Repeater top menu.
Send the request, in my case www.google.com replies with a 405 Method Not Allowed

Expected result:
www.google.com should reply with 413 Request Entity Too Large because the Content-Length value is too high (it should timeout for lower values). You can verify this behavior by enabling or disabling the PwnFox extension between requests.
Also you can see in the Logger++ extension that the Content-Length header value has been updated when the extension is enable.

Is this "auto-update" feature intended / necessary ? This also works works out of repeater (like intruder for example). An automatic update could prevent exploitation of vulnerabilities such as request smuggling.

Answer 1 · 2020-11-19T18:39:47.000Z

That's weird, because pwnfox burp, only remove the pwnfox header and colorize the request.
I need to check burp api, this is completely unintended

Answer 2 · 2020-12-18T19:35:29.000Z

Any news regarding this issue ?