Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Active Scanner doesn't user supplied session

GarlicCheese | Last updated: Aug 21, 2018 07:29AM UTC

I've had this issue multiple times. I have a request with session (e.g. cookie value x) in the repeater where it works as intended. If I then run an active scan (by right-clicking, do an active can), the scan's base request is identical to the one in the repeater, but the response is unexpected. After a bit of investigating, I found out that the active scanner uses another session (e.g. cookie value y). I used a second proxy as an upstream proxy for burp, to verify this. Restarting Burp helps and the correct session is used if I do exactly the same. Does the Burp Scanner have an internal session management, which I don't know of? How can I force the Scanner to use the supplied session - or is this a bug?

Liam, PortSwigger Agent | Last updated: Aug 21, 2018 11:40AM UTC

Have you tried using Burp's session handling rules to maintain your session? - https://support.portswigger.net/customer/en/portal/articles/2363088-configuring-burp-s-session-handling-rules Please let us know if you need any further assistance.

Burp User | Last updated: Aug 21, 2018 12:42PM UTC

It seems like this was the issue. I wasn't aware that the spider and the scanner used an own cookie jar. Thanks!

Syed | Last updated: Dec 06, 2021 09:33PM UTC

Has anyone tried this? https://portswigger.net/support/configuring-burp-suites-session-handling-rules How can one actually replace other headers in the scanner once the session times out? I was successfully able to get the updated cookies but there's an Authorization header too which actually contains the authentication token. Can't update my scanner requests with it. TL;DR: Trying to update subsequent requests with updated session information after session times out (in scanner/repeater) - Basically won't* have to re-login and rerun the requests.

Liam, PortSwigger Agent | Last updated: Dec 07, 2021 10:27AM UTC

Have you checked out the BApp Store? It contains extensions to be used in Burp. You can find it in Burp under "Extender > BApp Store" or on our website here: https://portswigger.net/bappstore There are several different extensions relating to authentication - you would likely need to read the descriptions to see if there's one in particular that best suits your use case. It sounds like the "Add custom header" extension may be helpful.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.