Burp Suite User Forum

Login to post

Burp's Cookie Jar Handles Cookies Differently to Common Browsers

Tib3rius | Last updated: Oct 12, 2022 06:45PM UTC

I have an interesting "bug" for you. I was testing a website that set a session cookie upon login. When logging out, the application set the session cookie to '""' (i.e. two double quotes) rather than an empty string: Set-Cookie: session=""; Chrome and Firefox both seem to still treat this cookie as if it were empty, and so they destroy the cookie. Burp's cookie jar treats the "" as a literal value. I don't know which is correct, but the difference can cause issues. Ordinarily this might not matter, as when you log back in, the cookie would get updated. However this application was located at /app/ and would set the session cookie with a Path=/ when logging in, but when logging out it would set the session cookie to '""' with a Path=/app/. The knock-on effect of this is that the Cookie Jar always has a session cookie set to "", and because its path matches the application more accurately than the actual session cookies being set at login, the Scanner uses this cookie. There did not appear to be a way around this other than either removing the cookie manually before scanning, or turning off the session handling rule. I even tried a proxy match and replace to "correct" the cookie value to an actual empty string and set the Path back to /, but it seems the cookie jar takes cookies from the initial response rather than the edited one? I feel like there are some options here that could be added for these situations. The easiest one might be to set it so that the cookie jar updates after all modifications have been done to responses that get sent through the proxy? Otherwise, perhaps an option to treat a cookie value of '""' the same as a cookie value of '' like browsers seem to.

Hannah, PortSwigger Agent | Last updated: Oct 13, 2022 10:20AM UTC

Hi The Scanner only uses Burp's cookie jar in select scenarios. For example, when performing an "audit selected items" with no associated crawl, or if you have "incy wincy" mode enabled. We've raised a request to change Burp's cookie jar behaviour to match the behaviour of a browser more closely. Instead of using a Proxy match and replace rule, have you had a look at using the Extender API instead? If you'd like some examples of extensions working with cookies, the following example deletes all cookies in the cookie jar on load of the extension: https://github.com/Hannah-PortSwigger/DeleteCookies You can find our "Getting started" guide for writing extensions here: https://portswigger.net/burp/extender

Hannah, PortSwigger Agent | Last updated: Nov 22, 2022 01:37PM UTC

Hi We're struggling to replicate the default behavior of cookie removal that you observed on Chrome, and were hoping you could provide us with some additional information. Could you drop us an email at support@portswigger.net?

You need to Log in to post a reply. Or register here, for free.