Burp Suite User Forum

Login to post

Bypass WAF session handling

Ashish | Last updated: May 11, 2020 08:02PM UTC

We were trying to use Bypass WAF Extension to test the IP address black-list handling on our WAF. I have followed the steps in the post https://www.codewatch.org/blog/?p=408 and have added the session handling rule. I have enabled the session handling for all the options including "Proxy" and "Extender" . For the URL scope, it is set to "Include all URLs". However, when i perform a proxy intercept and forward the request, the source IP headers are not seen as added. Secondly the session tracing option is not showing any of the sessions being handled by the Extender. Please provide any ideas of what could be missing.

Hannah, PortSwigger Agent | Last updated: May 12, 2020 07:58AM UTC

Are you monitoring your traffic using a third-party extension like Flow or Logger++? This will show how your requests have been affected, as the session handling rule is applied before it is passed through to them. You will need to make sure that Flow or Logger++ is set below your other extensions in your Extender list (so it is last on the list), as the order that the extensions are in does matter for monitoring purposes.

Ashish | Last updated: May 13, 2020 04:55AM UTC

Thanks so much for your response. I added the Logger++ Extender as you specified , after the Bypass WAF in the project scope. However, no luck, still do not see the IP address related headers injected into the requests.

Hannah, PortSwigger Agent | Last updated: May 13, 2020 07:30AM UTC

Have you checked using Flow as well? I just checked using both, and Flow displayed the appended headers, whereas Logger++ did not. This has been raised before as an issue with Logger++. You can see the details here: https://github.com/nccgroup/LoggerPlusPlus/issues/42

Ashish | Last updated: May 14, 2020 02:59PM UTC

Yes, using Flow i was able to see the 4 header variables injected by Bypass WAF extender. Thanks for your timely help!

You need to Log in to post a reply. Or register here, for free.