Reporting an vulnerability

Marco Eberl's Avatar

Marco Eberl

08 May, 2015 01:25 PM

I have a suggestion for you:
When reporting a vulnerability, the HTTP method is missing in the HTTP request.

What i see is


What i'd like to see is

GET /index/start?id=1234&origin=abcd

That would make manual verifying and repeating the attack very simpler.

  1. Support Staff 1 Posted by Tasos Laskos on 08 May, 2015 01:39 PM

    Tasos Laskos's Avatar

    That's the way it usually works, in you're case you're performing a scan on an HTTPS website via a proxy right?

  2. 2 Posted by Marco Eberl on 08 May, 2015 01:40 PM

    Marco Eberl's Avatar

    Yes, you're right

  3. Support Staff 3 Posted by Tasos Laskos on 08 May, 2015 01:43 PM

    Tasos Laskos's Avatar

    That's interesting, I'm pulling debugging info from libcurl for the raw HTTP traffic.
    I'll look into this, see if I can pull the actual request instead of the CONNECT one under those circumstances.

    Thanks for the feedback man, I'll keep you posted.

  4. Support Staff 4 Posted by Tasos Laskos on 08 May, 2015 04:30 PM

    Tasos Laskos's Avatar

    Looks like it's possible to extract the right data and loads more -- there could be a cool plugin somewhere in there.

    Anyways, I thought it best to ignore the proxy related stuff so the CONNECT calls won't be included.

    Thanks for the feedback.

  5. Tasos Laskos closed this discussion on 08 May, 2015 04:30 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac