Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

About setting macro scope by parameter value

Takafumi | Last updated: Jan 18, 2021 09:13AM UTC

Please tell me how to set the macro. I want to change the use of macros depending on the parameter value of the target request. I have confirmed the scope setting by URL and parameter name, but how do you set the scope by parameter value? Even if you can not set it with session setting, if there is a way to set it with extender, it would be helpful if you could tell me the sample source.

Michelle, PortSwigger Agent | Last updated: Jan 18, 2021 02:11PM UTC

When setting the scope for the session handling rules, you can only specify the parameter name as you have found. To help us understand what you need to achieve could you tell us a bit more about the steps your macro takes and the situations where you need it to be applied, please? If you would rather share this directly you can email us using support@portswigger.net.

Takafumi | Last updated: Jan 19, 2021 01:55AM UTC

For example, in testing for login requests, make a correct macro login / logout request before testing to avoid account locks. However, if the specifications of the target site are as follows Http://test.com/?page=login => login function Http://test.com/?page=othervalue=> Non-login function I want to avoid this macro being executed for unnecessary inspection requests and reducing inspection efficiency.

Michelle, PortSwigger Agent | Last updated: Jan 19, 2021 04:08PM UTC

To help me understand the workflow, I have a few more questions: Would the macro need to perform both login and logout or just perform the login sequence if the session was not valid? Would the login only need to be performed if the session had become invalid or would you need to login in again for every X requests? If the session is not valid is there some particular detail you can look for in the response of any request to show whether or not a session is valid?

Takafumi | Last updated: Jan 21, 2021 10:32AM UTC

Thank you for your reply. But keeping the session has nothing to do with the problem I'm having. The login function continuously counts the number of times you make a mistake in your password. You must be logged in with a valid password to reset the count. However, since the scan target is the login function, you need to log out in advance. Therefore, for scan of the login function, I want to log in and log out with a macro, but I want to stop the macro because it is unnecessary for other requests.

Takafumi | Last updated: Jan 21, 2021 10:32AM UTC

Thank you for your reply. But keeping the session has nothing to do with the problem I'm having. The login function continuously counts the number of times you make a mistake in your password. You must be logged in with a valid password to reset the count. However, since the scan target is the login function, you need to log out in advance. Therefore, for scan of the login function, I want to log in and log out with a macro, but I want to stop the macro because it is unnecessary for other requests.

Michelle, PortSwigger Agent | Last updated: Jan 21, 2021 03:50PM UTC

Thanks for the update. That helps me to understand how the site treats the logins, but I still have a few more questions to help me picture the scenario where this macro is needed if that's ok. Can you send me some screenshots of the scan configuration / Burp configuration you're using when you see the issues with the login that result in you needing the macro to reset the login count? Are you using a crawl and audit scan task or are you using one of the other tools? If you can email them to support@portswigger.net, that would be great and we can get a better understanding of what you need to achieve with Burp.

Takafumi | Last updated: Jan 25, 2021 09:08AM UTC