Burp community forum

Burp Session Handling Rules not Applied to Proxy

D. | Last updated: Jul 10, 2019 10:27AM UTC

I have a macro that grabs a token value of the parameter named xxx from one HTTP response such as: /campaign/a\">Details</a>\n<form class=\"column-buttons\" action=\"/manage/campaign/delete\" method=\"POST\">\n <input type='hidden' name='xxx' value='yyy' In the session handling rules, I have made it to run a macro and made it applicable to repeater and proxy. In repeater, when I press Go a few times and the token gets updated. However, when runnng SQLmap via Burp, the token is not updated. I have also tried manually to click on the function but the token is not from the macro but from the original page. I am using Windows 10, tried with Burp 2.1 and v2.0.13beta, Pro edition for both.

Burp User | Last updated: Jul 10, 2019 10:48AM UTC

Just an update, using Session handling tracer shows that the parameter in the HTTP request is indeed updated. However, in my Proxy tab, the parameter in the HTTP request is not updated.

Liam, PortSwigger Agent | Last updated: Jul 10, 2019 01:21PM UTC

SQLmap is a Burp extension. Have you checked the Extender box in the Session handling rule editor > Scope > Tool Scope?

Burp User | Last updated: Jul 11, 2019 01:31AM UTC

I am not using the burp extension. I am using SQLmap on its own and specifying proxy there to go through burp. Checked extender box but to no avail as well.

Burp User | Last updated: Jul 11, 2019 01:41AM UTC

I have also removed all extensions in case they were interfering with the requests in the proxy. My host is a IP, I'd initially thought maybe the scope for session handling is not able to detect IP addresses and so I mapped a hostname to the IP in my hosts file. All these still did not work for me. The fact I can see in the session handling tracer and not in proxy is a sign that there should be a bug unless there are some settings I am not aware of.

Burp User | Last updated: Jul 11, 2019 12:28PM UTC

I still have no luck on it. I can send screenshots, let me know how should I go about doing it.

Rose, PortSwigger Agent | Last updated: Jul 15, 2019 07:04AM UTC

Sorry for the delay in responding. Have you tried using the SQLiPy Sqlmap Integration Extension in the BApp Store? If not, could you try using this or tell us why this wouldn't work for you?

Burp User | Last updated: Jul 16, 2019 02:15AM UTC

I avoided using the extension as I am under the impression I wouldn't be using the latest SQLmap version as it is slower than the actual development. I will give it a shot but I still think the core problem should be fixed as this is just a mitigation.

Burp User | Last updated: Jul 16, 2019 02:23AM UTC

Okay the extension is not working out for me. It has been about 7 days, please let me know where can I send screenshots or debug messages to help with fixing this issue.

Liam, PortSwigger Agent | Last updated: Jul 17, 2019 09:39AM UTC

What issues did you have with the extension? Did you check out our tutorial page? - https://support.portswigger.net/customer/portal/articles/2791040-using-burp-with-sqlmap You can send screenshots or debug messages to support@portswigger.net.

Burp User | Last updated: Dec 17, 2019 03:54AM UTC

I ran into a similar situation. The solution was to make sure that you have the key-value pair that you are going to replace using Burp's Proxy in the **original** request sent via the proxy. So, for example, you would tell SQLMap to send the parameter 'xxx' using --data='xxx=yyy&...' (the actual value that you give it is irrelevant). If you don't, the replacement rule does not happen Here's a simple cURL example. If I wanted the Proxy to replace csrf tokens with a valid csrf token and wrote the corresponding macro, it would work if I sent the request as follows: http_proxy= curl -X POST -d userid=1 -d csrf=1 but not if I sent it as this (notice that I didn't add the csrf parameter): http_proxy= curl -X POST -d userid=1 -d It would be nice if the Session Tracer highlighted if a token was successfully added or not

You need to Log in to post a reply. Or register here, for free.