[Owasp-webscarab] webscarab removing Authorization header?

webscarab at moniker.net webscarab at moniker.net
Mon Mar 24 19:02:34 EDT 2008 

Rogan Dawes wrote:
 > Can you please try (re-)moving your ~/WebScarab.properties file, and
 > seeing if that makes any difference?

Thanks for the suggestion - no change.

Also reproduced it with a web server on the local LAN obviating the need 
for the upstream proxy.

If I change the header from "Authorization" to "TestAuthorization" then 
webscarab forwards the "TestAuthorization" along.  So the behaviour 
seems to relate specifically to a header named "Authorization".

Here is the simplest test case that reproduces the behaviour - edit 
request.txt to contain these two lines followed by a blank line:
GET http://www.example.com HTTP/1.0
Authorization: blah

Then pump request.txt into webscarab:
telnet 192.168.6.7 3128 < request.txt

Request going into webscarab contains "Authorization" but not the 
request leaving.  Weird!

Any other suggestions welcome.

Thanks -

Leni.

Rogan Dawes wrote:
> webscarab at moniker.net wrote:
>> Hi -
>>
>> I'm trying to connect via webscarab to a web server that requires 
>> Authorization.
>>
>> Here is what Ethereal is telling me is going into and out of webscarab.
>>
>> Going into webscarab:
>>    GET http://www.example.com HTTP/1.1
>>    Authorization: blah
>>    User-Agent: lwp-request/2.07
>>
>> This is right - the request was generated using perl's lwp:
>>    GET -H "Authorization: blah" http://www.example.com
>>
>> Coming out of webscarab (going via the upstream squid proxy):
>>    GET http://www.example.com HTTP/1.1
>>    User-Agent: lwp-request/2.07
>>
>> This is my problem - webscarab has removed the "Authorization" header. 
>> This is confirmed when I look at the request coming into squid - it 
>> doesn't have the necessary "Authorization" header.  Which explains why 
>> the webserver responds with a 401 "Client-Warning: Missing 
>> Authenticate header".
>>
>> So my questions: (a) why is webscarab stripping out the 
>> "Authorization" header and b) can I stop it from doing that?
>>
>> I'm using webscarab version 20070504.
>>
>> Thanks -
>>
>> Leni.
> 
> Hmph!
> 
> I'm not sure why this is happening. I know that this works with IE/FF, 
> because I do a lot of testing against WebGoat which requires Basic auth. 
> Depending on circumstances, sometimes I let WebScarab handle the auth, 
> and other times I let IE/FF handle the auth. So this feeature definitely 
> works in some (common) cases.
> 
> Can you please try (re-)moving your ~/WebScarab.properties file, and 
> seeing if that makes any difference?
> 
> Thanks
> 
> Rogan

More information about the Owasp-webscarab mailing list