Multiple values in HTTP Authorization headers are not recognized

[VitaliDzemidovich]

Please note that this plugin truncates all additional values of Authorization headers except the first one.

Example:

-----Request Before Plugin Update-------
GET /some/path HTTP/1.1
...
Authorization: Bearer aaaaa.bbbbbb.cccccc, something parameter=value
...

-----Request After Plugin Update-------
GET /some/path HTTP/1.1
...
Authorization: Bearer aaaaa.bbbbbb.cccccc
...

As a result "something parameter=value" will be deleted from the resulting request.

Please refer corresponding RFC: https://tools.ietf.org/html/rfc7230#section-3.2.2

[alexlauerman]

To fix this, I think you can change https://github.com/alexlauerman/UpdateToken/blob/master/src/burp/BurpExtender.java#L89

to use split(" ", 1)

Feel free to submit a PR if you are able to verify this works.

[VitaliDzemidovich]

Hi Alex,
Sorry but I'm not a developer and actually I'm not going to use this plugin for its intended purpose in future.
I just wanted to warn people about possible problems that can arise if the plugin is enabled in the background.
Nevertheless thanks for your great work!

Thanks,
VItali

[alexlauerman]

You're welcome. No problem. Let me know if you want me to modify the plugin for you and rebuild the jar. It won't take too long.

Many times, this plugin will need modification, because the token gets returned in different places.

[alexlauerman]

There is now a burp extension in the BApp store called TokenJar. It may be worth checking out. I have not used it.

[alexlauerman]

Just to reply to my own suggestion, I tried both TokenJar and TokenExtractor today, although neither worked for me for an authorization header.