Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Add cookie authentication to active scan

Daniel | Last updated: Jun 24, 2024 03:07AM UTC

When doing an Active Scan, you can enter a username/password combination or record requests that will authenticate. MFA disrupts this workflow. I suggest adding an option to add a header (eg. authorization) or authentication cookie to the Active Scanner to authenticate that way so that the scanner is in an authenticated context when scanning the web application.

Syed, PortSwigger Agent | Last updated: Jun 24, 2024 09:45AM UTC

Hi Daniel,

Thank you for your suggestion. Burp already has a feature where you can set up custom headers or cookies to be sent with the requests when running a scan or sending requests through Burp. You can find it under session handling rules in Burp Pro and site details in Burp Enterprise.

Steven | Last updated: Aug 20, 2024 03:17AM UTC

Related: The Crawl phase does not use the cookie jar (reference: https://forum.portswigger.net/thread/session-manager-not-handling-rules-vetoing-rule-6b3b3aa3). This prevents me from passing an authenticated session to Burp's crawler. It is possible to jump straight into the Audit phase with a session preloaded, but this doesn't provide the automated coverage scanners are commonly used for. Could we get the option to override the built-in session logic of the Crawler? At minimum, the ability to preload it with whatever is in the Cookie Jar would save a lot of headaches dealing with client apps where they refuse to disable MFA. I'm not entirely sure what the rational is for completely overriding Cookie Jar and Session settings for the crawler; it produces a lot of unexpected (to me, at least) behavior. If not, could the documentation be updated? The Session Settings page, includes bold text to manually set a cookie value, but does not include a link: https://portswigger.net/burp/documentation/desktop/settings/sessions#session-handling-overview. The first hit on Google is a Port Swigger page that uses screenshots from a version of Burp from several years ago that has a very different UI: https://portswigger.net/support/manually-setting-a-cookie-for-burp-suites-crawl-and-audit.

Syed, PortSwigger Agent | Last updated: Aug 20, 2024 01:56PM UTC