authhelper: set referer on verification

Signed-off-by: Simon Bennetts <[email protected]>

Author: psiinon

addOns/authhelper/CHANGELOG.md

@@ -10,6 +10,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - Support for tracking authorization headers automatically for Header based auth.
 - Add Authentication Report section for the log file.
 
+## Changed
+- Send the referer header on verification if set on the original request.
+
 ### Fixed
 - Do not fail the authentication on diagnostic errors.
 

addOns/authhelper/src/main/java/org/zaproxy/addon/authhelper/VerificationDetectionProcessor.java

@@ -136,14 +136,26 @@ private synchronized void updateContext(String loggedInIndicator, String loggedO
         authMethod.setLoggedOutIndicatorPattern(loggedOutIndicator);
         authMethod.setPollData(details.getMsg().getRequestBody().toString());
 
-        String contentType = details.getMsg().getRequestHeader().getHeader(HttpHeader.CONTENT_TYPE);
-        if (contentType != null) {
-            authMethod.setPollHeaders(HttpHeader.CONTENT_TYPE + ": " + contentType);
+        StringBuilder sb = new StringBuilder();
+        appendHeader(sb, details.getMsg().getRequestHeader(), HttpHeader.CONTENT_TYPE);
+        appendHeader(sb, details.getMsg().getRequestHeader(), HttpHeader.REFERER);
+        if (!sb.isEmpty()) {
+            authMethod.setPollHeaders(sb.toString());
         }
         AuthUtils.setVerificationDetailsForContext(context.getId(), details);
         Stats.incCounter("stats.auth.configure.verification");
     }
 
+    private void appendHeader(StringBuilder sb, HttpRequestHeader reqHeader, String headerName) {
+        String headerValue = reqHeader.getHeader(headerName);
+        if (headerValue != null) {
+            sb.append(headerName);
+            sb.append(": ");
+            sb.append(headerValue);
+            sb.append("\n");
+        }
+    }
+
     private VerificationRequestDetails repeatRequest(VerificationRequestDetails vrd, boolean auth)
             throws IOException {
         HttpMessage msg;
@@ -161,6 +173,10 @@ private VerificationRequestDetails repeatRequest(VerificationRequestDetails vrd,
                     .setHeader(
                             HttpRequestHeader.CONTENT_TYPE,
                             origReqHeader.getHeader(HttpRequestHeader.CONTENT_TYPE));
+            msg.getRequestHeader()
+                    .setHeader(
+                            HttpRequestHeader.REFERER,
+                            origReqHeader.getHeader(HttpRequestHeader.REFERER));
 
             msg.getRequestBody().setBody(vrd.getMsg().getRequestBody().getBytes());
             msg.getRequestHeader().setContentLength(msg.getRequestBody().length());

addOns/automation/CHANGELOG.md

@@ -4,7 +4,8 @@ All notable changes to this add-on will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
-
+### Fixed
+- Bug in handling headers with colons in the values.
 
 ## [0.51.0] - 2025-07-17
 ### Added

addOns/automation/src/main/java/org/zaproxy/addon/automation/VerificationData.java

@@ -104,7 +104,7 @@ public VerificationData(Context context) {
         if (headers != null) {
             List<AdditionalHeaderData> headerList = new ArrayList<>();
             for (String header : headers.split("\n")) {
-                String[] headerValue = header.split(":");
+                String[] headerValue = header.split(":", 2);
                 if (headerValue.length == 2) {
                     headerList.add(
                             new AdditionalHeaderData(headerValue[0].trim(), headerValue[1].trim()));

addOns/automation/src/test/java/org/zaproxy/addon/automation/VerificationDataUnitTest.java

@@ -20,6 +20,7 @@
 package org.zaproxy.addon.automation;
 
 import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.hasSize;
 import static org.hamcrest.Matchers.is;
 import static org.junit.jupiter.params.provider.Arguments.arguments;
 import static org.mockito.BDDMockito.given;
@@ -28,6 +29,7 @@
 import java.util.LinkedHashMap;
 import java.util.Locale;
 import java.util.stream.Stream;
+import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.Arguments;
 import org.junit.jupiter.params.provider.MethodSource;
@@ -72,4 +74,25 @@ void shouldSetCorrectAuthenticationMethod(
                 context.getAuthenticationMethod().getAuthCheckingStrategy(),
                 is(authCheckingStrategy));
     }
+
+    @Test
+    void shouldHandleContextWithHeaders() {
+        // Given
+        Constant.messages = new I18N(Locale.ENGLISH);
+        Context context = mock(Context.class);
+        HttpAuthenticationMethod httpAuthMethod = new HttpAuthenticationMethod();
+        given(context.getAuthenticationMethod()).willReturn(httpAuthMethod);
+        httpAuthMethod.setPollHeaders("test-header1: value1\n referer : https://www.example.com ");
+
+        // When
+        VerificationData data = new VerificationData(context);
+
+        // Then
+        assertThat(data.getPollAdditionalHeaders(), hasSize(2));
+        assertThat(data.getPollAdditionalHeaders().get(0).getHeader(), is("test-header1"));
+        assertThat(data.getPollAdditionalHeaders().get(0).getValue(), is("value1"));
+        assertThat(data.getPollAdditionalHeaders().get(1).getHeader(), is("referer"));
+        assertThat(
+                data.getPollAdditionalHeaders().get(1).getValue(), is("https://www.example.com"));
+    }
 }