Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Login to post

BApps do not use/update Cookie Jar in Active Scan

exploresecurity | Last updated: Nov 17, 2022 11:31AM UTC

Hi. Working on an app with particularly aggressive session management. Session timeout is short and even with regular 'keep alive' requests the original cookie value becomes stale, the newly issued value must be used. Tried an active scan with session handling rules such that only the scanner used the cookie jar and only the scanner could update the cookie jar. Looking at the logs I could see that the built-in scanner (tool "Scanner") was correctly using and updating the cookie jar, but any requests sent by BApps (tool "Extender") were not using the cookie jar (and likewise responses did not update). This did not appear to be BApp-specific but a general property - and presumably any Extension would be affected (after all, this shouldn't be something that an Extension needs to consider). Search of bug reports didn't reveal any hits on this specific point. Using v.2022.9.5. Thanks

Hannah, PortSwigger Agent | Last updated: Nov 17, 2022 11:39AM UTC

Hi If you go to your "Session handling rules" section and edit the Tool scope of your existing "Use cookies from Burp's cookie jar" rule to include "Extender", does that result in your cookies being updated?

exploresecurity | Last updated: Nov 17, 2022 12:18PM UTC

Aargh! Didn't spot that - wasn't expecting it to be separate TBH, but anyway all good, sorry, please close.

Hannah, PortSwigger Agent | Last updated: Nov 17, 2022 01:23PM UTC

No worries, glad it's sorted!

You need to Log in to post a reply. Or register here, for free.