AutoRepeater
AutoRepeater copied to clipboard
nccgroup
Add Option to Follow Redirection
Pretty simple and straight forward feature request:
Add the ability to follow redirections within auto repeater. I'm thinking it would be useful to have a button similar to how repeater has a button to follow redirections for individual requests/responses, and have a checkbox to automatically follow redirection in the options section.
Find below two crude mockups of what I mean in case it isn't quite clear.
Per Request:
Options:
Current workaround: just send your modified request(s) to repeater and use the "Follow Redirection" button in repeater.
Cheers!
Hey @tzuk-pl,
Thanks for the feature suggestion. If I were to add this as a feature I’d probably add it as a checkbox next to the activate AutoRepeater button and have AutoRepeater follow all redirections in the tab. Is there a particular testing case this feature would be useful for? Usually when AutoRepeater is receiving responses to redirect it’s because the replacements are breaking some part of the request and the request is being redirected back to the login page or an error page.
Also, from your screenshot it looks like you’re using a old version of AutoRepeater. I highly suggest you check out the jar hosted in this repo as it has about a year of additional development and bug fixes.
Thanks, Justin
On May 29, 2019, at 7:40 AM, tzuk-pl [email protected] wrote:
Pretty simple and straight forward feature request:
Add the ability to follow redirections within auto repeater. I'm thinking it would be useful to have a button similar to how repeater has a button to follow redirections for individual requests/responses, and have a checkbox to automatically follow redirection in the options section.
Find below two crude mockups of what I mean in case it isn't quite clear.
Per Request:
Options:
Current workaround: just send your modified request(s) to repeater and use the "Follow Redirection" button in repeater.
Cheers!
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.
Thanks for the response, Justin. Some of the applications I have tested use custom application gateways or custom behaviour that create a one-time use token and redirect to an endpoint on a different domain, but still part of the same application.
A simple example: A GET or POST request to http://applicationname/index is sent by the application which uses a cookie or a bearer token for authentication and a custom header like "X-CUSTOM-URI: /API/addmember" is sent in the request. The application responds with a redirection to a different domain such as http://apiname/api/addmember and provides some sort of one-time use or short-lived token to use in the request to the apiname site.
In this example, I would be browsing the application as a high privileged user and using autorepeater to repeat the requests to http://applicationname as a low privileged user who should not have the ability to add a new member. If the application provides a token and redirection to the API, and the add member request succeeds, it would indicate insecure permissions. The call to the API would have no portion to autorepeat, as the token and redirection was granted for the low privileged user by the http://applicationname site.
I installed autorepeater from the BAppStore a while back; I'll be sure to update, thanks for the recommendation.
Hi,
I agree with tzuk-pl. I'm using this great extension mostly for auto fuzzing and checking the response for specific answers. This option can help a lot because the redirecting force me to do more manual steps for analyzing the response, In some cases I have hundred of redirection responses so it become useless for those scenarios. Hope that you will consider to add this option, I'm sure that it will help a lot to many researchers.
Thanks a lot.
Hey folks,
I’ll prioritize this request.
Thanks, Justin
Sent from my iPhone
On Aug 31, 2019, at 2:58 PM, lopa17685 [email protected] wrote:
Hi,
I agree with tzuk-pl. I'm using this great extension mostly for auto fuzzing and checking the response for specific answers. This option can help a lot because the redirecting force me to do more manual steps for analyzing the response, In some cases I have hundred of redirection responses so it become useless for those scenarios. Hope that you will consider to add this option, I'm sure that it will help a lot to many researchers.
Thanks a lot.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.