Made recommended changes.

PortSwigger · Feb 5, 2024 · 08245d6 · 08245d6
1 parent 9c5426f
commit 08245d6
Showing 1 changed file with 12 additions and 30 deletions.
diff --git a/Proxy/HTTP/FilterAuthenticated.bambda b/Proxy/HTTP/FilterAuthenticated.bambda
@@ -4,7 +4,10 @@
  * @author joe-ds (https://github.com/joe-ds)
  **/
 
-if (!requestResponse.hasResponse()) {
+var request = requestResponse.request();
+var response = requestResponse.response();
+
+if (!response.isStatusCodeClass(StatusCodeClass.CLASS_2XX_SUCCESS) || !requestResponse.hasResponse()) {
     return false;
 }
 
@@ -13,37 +16,16 @@ var configNotInScopeOnly = true;  // If set to false, won't show out-of-scope it
 var sessionCookieName = "";       // If given, will look for a cookie with that name.
 var sessionCookieValue = "";      // If given, will check if cookie with sessionCookieName has this value.
 
-var request = requestResponse.request();
-var response = requestResponse.response();
-var mimeType = requestResponse.mimeType();
-var path = requestResponse.request().pathWithoutQuery().toLowerCase();
-
-var inScope = requestResponse.request().isInScope();
-
-var isAuthorised = response.isStatusCodeClass(StatusCodeClass.CLASS_2XX_SUCCESS);
+var inScope = request.isInScope();
 var authHeader = request.hasHeader("Authorization");
 
-var sessionCookie = false;
-if (request.headerValue("Cookie") != null) {
-    if ((sessionCookieName.length() > 0) && (sessionCookieValue.length() > 0)) {
-        if (requestResponse.request().hasParameter(sessionCookieName, HttpParameterType.COOKIE)) {
-	        sessionCookie = requestResponse.request().parameter(sessionCookieName, HttpParameterType.COOKIE).value().equals(sessionCookieValue);
-        } else {
-            sessionCookie = false;
-        }
-    } else if (sessionCookieName.length() > 0) {
-        if (requestResponse.request().hasParameter(sessionCookieName, HttpParameterType.COOKIE)) {
-	        sessionCookie = true;
-        } else {
-            sessionCookie = false;
-        }
-    } else {
-        sessionCookie = false;
-    };
-} else {
-    sessionCookie = false;
-}
+boolean sessionCookie = request.headerValue("Cookie") != null
+                            && !sessionCookieName.isEmpty()
+                            && request.hasParameter(sessionCookieName, HttpParameterType.COOKIE) 
+			                && (sessionCookieValue.isEmpty() || sessionCookieValue.equals(request.parameter(sessionCookieName, HttpParameterType.COOKIE).value()));
 
+var path = requestResponse.request().pathWithoutQuery().toLowerCase();
+var mimeType = requestResponse.mimeType();
 var filterDenyList = mimeType != MimeType.CSS
  && mimeType != MimeType.IMAGE_UNKNOWN
  && mimeType != MimeType.IMAGE_JPEG
@@ -63,4 +45,4 @@ var filterDenyList = mimeType != MimeType.CSS
  && !path.endsWith(".png")
  && !path.endsWith(".css");
 
-return isAuthorised && (authHeader || sessionCookie) && (configNoFilter || filterDenyList) && (configNotInScopeOnly || inScope);
+return (authHeader || sessionCookie) && (configNoFilter || filterDenyList) && (configNotInScopeOnly || inScope);