[BUG] cookies flag (either -b or --cookies) does not work properly when there are multiple cookies

[JulianGR]

Describe the bug
Both -b and --cookies don't work properly - cookies don't get sent in requests when there are multiple cookies like so:

Cookie: ASP.NET_SessionId=t0asdfv; cache=es; version=2.9.3.0&release=True&nivel=1

To Reproduce
Steps to reproduce the behavior:

1. use either -b or --cookies flag and use multiple cookies

See this screenshot:

Also, Burp suite with request shows empty cookie header

Expected behavior
I expect cookies to actually be sent

Traceback / Error Output
N/A

Environment (please complete the following information):

• feroxbuster version: 2.10.3 (latest), happening since a while ago, so it not new from this latest version.
• OS: happening in WSL2 Kali, in normal Kali, and Windows. Using Powershell, CMD or bash yields the same error. I tried different terminals to see if quotes or double quotes are being wrongfully parsed, but it does not seem the case.

Additional context
N/A

[epi052]

Howdy! Can you please post your exact command?

[JulianGR]

Yes, redacted for privacy

feroxbuster -u https://asdf.com -b 'ASP.NET_SessionId=t0iasdfv; idbox.cache=es; idbox.version=version=2.9.3.0&release=True&nivel=1' --proxy 127.0.0.1:8080

[epi052]

ok, there are a few problems here.

first, -b expects a single key/value pair separated by an equals sign.

so, a better invocation would be

-b 'ASP.NET_SessionId=t0iasdfv' -b 'idbox.cache=es' ...

however, this approach breaks down on your third cookie due to mulitple equals signs.

thankfully, since -b / --cookies has always just been sugar around adding Cookie: and some processing logic, you can just use -H|--headers directly, which doesn't make any assumptions about the value passed (it does assume there's a : separating the key from the value, but that's all. no additional logic is applied).

--burp -u http://localhost:8000 -H 'Cookie: ASP.NET_SessionId=t0iasdfv; idbox.cache=es; idbox.version=version=2.9.3.0&release=True&nivel=1'

[JulianGR]

Wouldn't it be better that the -b flag accepts multiple cookies, with equals sign included? so that it allows faster copy-pasting. Or at least include it in the docs.

[epi052]

Wouldn't it be better that the -b flag accepts multiple cookies, with equals sign included? so that it allows faster copy-pasting. Or at least include it in the docs.

yes, i started working on that already 😁 itll be in the next release

[epi052]

update:

the following cli options

--cookies 'ASP.NET_SessionId=t0iasdfv; idbox.cache=es; idbox.version=version=2.9.3.0&release=True&nivel=1' -b 'stuff=things' -b 'mostuff=mothings;'

produce the following header

 🤯  Header                │ Cookie: ASP.NET_SessionId=t0iasdfv; idbox.cache=es; idbox.version=version2.9.3.0&releaseTrue&nivel1; stuff=things; mostuff=mothings