Burp Suite User Forum

Create new post

auto login

hong | Last updated: Mar 24, 2017 04:07PM UTC

Hi, Burp offers macro to auto login. I was able to record macro, and the macro will add new cookies in the cookie jar, and the subsequent requests use the new cookies. However, the subsequent requests need one additional string in the request header (not in cookie), otherwise the requests will fail. This additional string, (for CSRF attack) is in the response during the login process. Is it possible that Burp can also refresh this string, in additional to the cookies? Thanks

Burp User | Last updated: Mar 24, 2017 10:01PM UTC

Additional info: I am sending an expired request to the scanner. The macro will run and refresh the cookie jar, so the session becomes valid. The request also has this XXX-CSRF-Token which is expired as well. The XXX-CSRF-Token is in the response header from the last step of login macro, the format is following: ... ... XXX-CSRF-Token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ..... I added a customer parameter in the last step of the macro. The parameter name is XXX-CSRF-Token: and the value is xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx I hope the macro will also grab the XXX-CSRF-Token: and refresh this token. However Burp did not, and the request failed. What should I do to make the request valid? Thank you,

PortSwigger Agent | Last updated: Mar 28, 2017 11:00AM UTC

Unfortunately Burp's session handling rules don't currently support changeable tokens in HTTP headers - only in conventional request parameters and cookies. Your best option might be to create a quick extension that registers a custom session handling action to update the current request based on the results of an executed macro. Then you can create a rule that runs the relevant macro to obtain the required header value, and invoke your extension with the macro results.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.