Improper Set-Cookie header handling in proxy

[flabbergastedbd]

Bug

• Try using owtf proxy to browse to any wordpress admin page.
• Try logging in. (Invalid credentials will also do)
• You should see a message on the login page that cookie support seems disabled!!!

Fix

This line

for header, value in list(response.headers.items()):

should be

for header, value in response.headers.get_all():

Verification

• Repeat the same steps and you should see no such cookies disabled message.
• Do not send a PR or commit without verifying the fix first!!

Reasoning

• Servers send multiple Set-Cookie headers
• When iterated over these headers using items, list of set-cookie header values is joined using comma
• This format of mentioning multiple cookies in one Set-Cookie header seperated by comma is not recognised by browsers.
• The ideal way of doing this is by using get_all() method of tornado headers.

[kdexd]

I will take up upon this issue. The description is quite informative. I am doing a Debian -> Kali transformation and in the middle of setting up Kali. I will first verify it and then send a PR 😄

[kdexd]

I tested the commit, and in the browser the message did vanish. Though as pointed out by @delta24, I did look up in my /tmp/owtf/proxy.log and find this line:

AttributeError: 'dict' object has no attribute 'get_all'

This seems a bit off.