Cookie sending

Hello everyone,

I would like to report a bug related to cookie sending with Dirbuster.
It seems to affect both stable and dev releases.

Indeed for authenticated tests I often set a custom HTTP header, named "Cookie" with the appropriate and current value.

The thing is, when DirBuster sees a "Set-Cookie:" in one of the response, it automatically adds the seen cookie information (stored in the jar) to the next requests.
As a consequence, my next requests have 2 "Cookie" headers and can confuse a web server.

Long story short, here's a quick example on how to reproduce the bug:

1. Open up DirBuster, set your target to "http://google.fr", a directory file list and hit Start ;
2. The target server might give you a "Set-Cookie:" while responding to your request ;
3. Stop DirBuster ;
4. Go to Options > Http Options ;
5. Set a custom header named "Cookie" with the value you want ("mycookie=test") ;
6. Hit Start ;
7. Your requests now have 2 cookie headers :
   • The one who set : "Cookie: mycookie=test"
   • The one automatically added by DirBuster : "Cookie: $Version=0; PREF=ID=8f51affe9c5e8da8:TM=1384597333:LM=1384597333:S=b6S-o7QkDCjUotPP; $Path=/; $Domain=google.fr"
8. The target server goes crazy and your authenticated tests fail.

The idea to correct this side-effect would be :

1. Either to implement a "Empty the cookie jar" in order to clean the jar before adding a custom Cookie header ;
2. Or to systematically skip any "Set-Cookie" header in a response.

As I quickly dug into the code, I saw that the lines 88-94 of the DirBuster/FilterResponce.java tries to do the second solution. So I don't know why I'm still experiencing that bug.

//Remove cookie header
p = Pattern.compile("Set-Cookie:.*?\r\n", Pattern.CASE_INSENSITIVE);
m = p.matcher(toclean);
if(m.find())
{
    //System.out.println("Found Date value = '" + m.group(0) + "'");
    toclean = toclean.replaceAll(m.group(0), "SET-COOKIE LINE REMOVED\r\n");
}

Best regards.
Thomas.