Burp Suite User Forum

Login to post

Burp Cookie Jar cookies not applied to requests for any tool

Samuel | Last updated: Aug 02, 2022 06:05PM UTC

I am currently writing a Java based Burp Extension in order to navigate a complicated authentication system. I found that the macro recorder and other methods built into burp could not handle it, so I resolved to the following course: Implement the whole flow and all handshakes (MFA, OIDC, setting JSESSIONID cookies) all using HTTPRequest class. Create a persistent cookie handler class, so at the end of all the handshakes, I would have a cookie store full of all the authentication related cookies. "Cross load" all the cookies, by iterating through the persistent store, then calling the Burp callback.updateCookieJar() to load each cookie across. I have hit some issues with this approach after successfully getting the cookies, confirming the authentication is good by requesting more pages behind login, and verifying I can actually see the cookies in Burp's cookie store. First, the Crawler does not appear to actually use these cookies from the cookie jar. Based on other posts on the forum, I think this is an expected behavior, but is very unusual to me as how you're supposed to navigate a site when intentionally dropping auth cookies isn't something I've seen a clear explaination of. Second, no matter what I do, I don't see the cookies from Burp's cookie jar actually applied to any requests. I am 100% certain the cookies are in this jar (Project Options -> Sessions -> Open Cookie Jar), and that they're valid. I would have expected the default session handling rules would have been sufficient, but given I can kick off a scan and not see the cookies applied, I'm confused what the paradigm is here. In order to see if this was a modification issue, and edited both the Cookie Jar section to update with -any- tool, and the default Session handling rule to any tool. I'm still not seeing anything applied at any point. I cannot get anything to use the Burp cookie jar at this point, always issuing requests without cookies no matter if they're still set in that jar. I exported this Project Settings file (using the top bar) and have the Burp plugin load it at the start of execution. No success so far in getting any of the tools to use those cookies. I still see them set in the Cookie jar. Is there some guidance based on what I have written, or a question I could answer to assist? This absolutely has to be a common scenario: writing a plugin to handle custom authentication flows and setting cookies. Getting Burp to use the cookies seems to be the hard part.

Hannah, PortSwigger Agent | Last updated: Aug 03, 2022 10:14AM UTC

Hi Have you seen any extensions in the BApp Store that have similar functionality to what you are trying to achieve? If so, you could check out their source code. All BApp Store extensions have their code publicly available on GitHub. You can find them all here: https://github.com/PortSwigger

You need to Log in to post a reply. Or register here, for free.