Different return of Burpsuite repeater and python requests

Question

For safety reasons of my company I removed the URL's. But I think they aren't important for the understanding of the problem.

When I make a post with Burpsuite the post is executed correctly, like this print. The request is represented below:

POST /upload/1 HTTP/1.1
Host: URL REMOVED
Connection: close
Content-Length: 0
sec-ch-ua: "Google Chrome";v="87", " Not;A Brand";v="99", "Chromium";v="87"
Accept: application/json, text/plain, */*
sec-ch-ua-mobile: ?0
x-access-token: TOKEN REMOVED
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Origin: URL REMOVED
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: URL REMOVED
Accept-Encoding: gzip, deflate
Accept-Language: pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7

The answer in BurpSuite is represented below:

HTTP/1.1 200 OK
Date: Mon, 25 Jan 2021 15:28:46 GMT
Server: Apache
X-DNS-Prefetch-Control: off
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Download-Options: noopen
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=utf-8
Content-Length: 86
ETag: W/"56-bL6Iw6mpmbZmkXyESXWzn8xcLXc"
Connection: close

{"status":{"type":"success","message":"success","code":200,"error":false},"data":"Ok"}

But when I try to do the same post using python requests I get the 401 error. The code is below:

import requests
import json
#DESAFIO 2

url_post = 'URL REMOVED'
parametros_post = {
    "Host": "URL REMOVED",
    "Connection": "close",
    "Content-Length": 0,
    "sec-ch-ua": '"Google Chrome";v="87", " Not;A Brand";v="99", "Chromium";v="87"',
    "Accept": "application/json, text/plain, */*",
    "sec-ch-ua-mobile": "?0",
    "x-access-token": "TOKEN REMOVED",
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36",
    "Content-Type": "application/x-www-form-urlencoded",
    "Origin": "URL",
    "Sec-Fetch-Site": "same-site",
    "Sec-Fetch-Mode": "cors",
    "Sec-Fetch-Dest": "empty",
    "Referer": "URL REMOVED",
    "Accept-Encoding": "gzip, deflate",
    "Accept-Language": "pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7"
}
headers_post = {}
r = requests.post(url_post, data = json.dumps(parametros_post), headers = headers_post)

print(r.json())

The return of he python code is below:

{'status': {'type': 'AppError', 'message': 'Please log in.', 'error': True, 'code': 401}}

I am using the same User agent and the same headers for both ways of request. What can I do to make it work on python?

Answer 1

The request you are sending looks like this:

Your script sends these headers in json in the request body, but these are request headers. You should send them as headers.

After this change request looks like this:

You can compare your requests using Burp Comparer, you only need to send your request through Burp proxy like in the example where 8040 is Burp Proxy. In the Comparer window, you will see how your request looks like and it will be easier to notice what the problem is.