Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Active Scanner doesn't user supplied session

GarlicCheese | Last updated: Aug 21, 2018 07:29AM UTC

I've had this issue multiple times. I have a request with session (e.g. cookie value x) in the repeater where it works as intended. If I then run an active scan (by right-clicking, do an active can), the scan's base request is identical to the one in the repeater, but the response is unexpected. After a bit of investigating, I found out that the active scanner uses another session (e.g. cookie value y). I used a second proxy as an upstream proxy for burp, to verify this. Restarting Burp helps and the correct session is used if I do exactly the same. Does the Burp Scanner have an internal session management, which I don't know of? How can I force the Scanner to use the supplied session - or is this a bug?

Liam, PortSwigger Agent | Last updated: Aug 21, 2018 11:40AM UTC

Have you tried using Burp's session handling rules to maintain your session? - https://support.portswigger.net/customer/en/portal/articles/2363088-configuring-burp-s-session-handling-rules Please let us know if you need any further assistance.

Burp User | Last updated: Aug 21, 2018 12:42PM UTC

It seems like this was the issue. I wasn't aware that the spider and the scanner used an own cookie jar. Thanks!

Syed | Last updated: Dec 06, 2021 09:33PM UTC

Has anyone tried this? https://portswigger.net/support/configuring-burp-suites-session-handling-rules How can one actually replace other headers in the scanner once the session times out? I was successfully able to get the updated cookies but there's an Authorization header too which actually contains the authentication token. Can't update my scanner requests with it. TL;DR: Trying to update subsequent requests with updated session information after session times out (in scanner/repeater) - Basically won't* have to re-login and rerun the requests.

Liam, PortSwigger Agent | Last updated: Dec 07, 2021 10:27AM UTC