Burp Suite User Forum

Create new post

Burp scanner - token based session management

Rafał | Last updated: Mar 10, 2023 12:59PM UTC

Does the burp scanner support a session mechanism based on tokens stored in the web storage space. Tokens have a certain lifespan, and thus frontend applications often send requests related to token refresh (token changes). Does burp support this kind of session management if the crawl and audit scan option is selected?

Michelle, PortSwigger Agent | Last updated: Mar 10, 2023 03:47PM UTC

Thanks for your message. Are you using Burp Suite Professional or Burp Suite Enterprise?

Rafał | Last updated: Mar 13, 2023 12:23PM UTC

I am using Burp Suite Professional.

Michelle, PortSwigger Agent | Last updated: Mar 13, 2023 02:56PM UTC

Hi Burp Scanner can automatically deal with most session-handling mechanisms. You can read more about how it works here: https://portswigger.net/burp/documentation/scanner/crawling https://portswigger.net/burp/documentation/scanner/auditing Are you encountering any issues with a current scan? If so, can you tell us more about the issues? Would the session handling rules available within Burp Suite Professional be of any additional help (https://portswigger.net/burp/documentation/desktop/settings/sessions/session-handling-rules)? If you would prefer to share information directly, you can email support@portswigger.net.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.