The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

ASP.NET Cookieless Session Support

Undisclosed | Last updated: Oct 31, 2024 12:39PM UTC

Hi, I have come across multiple internal web applications that support cookieless sessions. Cookieless sessions create a unique token in the URL to track session states over HTTP. This creates an unmanageable sitemap. There are work arounds to create a better sitemap however this is complicated and requires two instances of BurpSuite running, in addition, the scanner will not work with sessions as the cookie jar cannot detect and track it. An out of box support would be greatly amazing. This feature should include the below, ordered by importance: 1. The ability to detect and filter out ASP.NET Cookieless tokens in URL '(S(*))' in order to create a clear sitemap. 2. Track the latest Cookieless tokens through the proxy, and update URL during dynamically when scanning/auditing the target Sample Cookieless Session URL: http://stackoverflowwebapp.com/(S(klnc3sshuaf3ngm3ihnpch2v))/home.aspx Best regards,

Michelle, PortSwigger Agent | Last updated: Oct 31, 2024 03:36PM UTC