Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Add cookie authentication to active scan

Daniel | Last updated: Jun 24, 2024 03:07AM UTC

When doing an Active Scan, you can enter a username/password combination or record requests that will authenticate. MFA disrupts this workflow. I suggest adding an option to add a header (eg. authorization) or authentication cookie to the Active Scanner to authenticate that way so that the scanner is in an authenticated context when scanning the web application.

Syed, PortSwigger Agent | Last updated: Jun 24, 2024 09:45AM UTC

Hi Daniel,

Thank you for your suggestion. Burp already has a feature where you can set up custom headers or cookies to be sent with the requests when running a scan or sending requests through Burp. You can find it under session handling rules in Burp Pro and site details in Burp Enterprise.

Steven | Last updated: Aug 20, 2024 03:17AM UTC

Related: The Crawl phase does not use the cookie jar (reference: https://forum.portswigger.net/thread/session-manager-not-handling-rules-vetoing-rule-6b3b3aa3). This prevents me from passing an authenticated session to Burp's crawler. It is possible to jump straight into the Audit phase with a session preloaded, but this doesn't provide the automated coverage scanners are commonly used for. Could we get the option to override the built-in session logic of the Crawler? At minimum, the ability to preload it with whatever is in the Cookie Jar would save a lot of headaches dealing with client apps where they refuse to disable MFA. I'm not entirely sure what the rational is for completely overriding Cookie Jar and Session settings for the crawler; it produces a lot of unexpected (to me, at least) behavior. If not, could the documentation be updated? The Session Settings page, includes bold text to manually set a cookie value, but does not include a link: https://portswigger.net/burp/documentation/desktop/settings/sessions#session-handling-overview. The first hit on Google is a Port Swigger page that uses screenshots from a version of Burp from several years ago that has a very different UI: https://portswigger.net/support/manually-setting-a-cookie-for-burp-suites-crawl-and-audit.

Syed, PortSwigger Agent | Last updated: Aug 20, 2024 01:56PM UTC

Hi Steven,

If you want to use a cookie for the audit phase, while essentially skipping the crawl phase, you can do this use the Cookie jar and the Session handling rule.

  • Browse your website in Burp's proxy browser so that the cookie jar is filled with the necessary cookies.
  • Navigate to Settings>Sessions and then click on Open cookie jar. This will open the cookie jar where you can see the session cookies. Copy and paste the session cookies in a text editor.
  • Under the same Sessions window, you will find the Session handling rules. Click on Add to add a new rule.
  • Set a Rule description and then click on Add. Click the "Set a specific cookie or parameter value" option.
  • Give the cookie name and value that you got from the cookie jar.
  • Check the 'If not already present, add as cookie' checkbox.
  • Set the scope for this rule. Click Ok, and you should be good to go.

Try this in the repeater tab. Send a request for the site without the cookie and see if Burp adds it to the request.

Let me know if this works out or if you need further help.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.