Burp Suite User Forum

Create new post

Can you use the cookie jar for crawling site?

Micah | Last updated: Mar 26, 2019 03:52PM UTC

I am trying to crawl a site but the cookie jar cookies are not being applied. The session handling tracer displays the following message: Vetoing rule: Use cookies from Burp's cookie jar The site has a captcha when logging in so setting an application login in the crawler does not work. Can I force Burp's crawler to use cookies?

PortSwigger Agent | Last updated: Mar 26, 2019 04:23PM UTC

The crawler has it's own cookie jar and doesn't use the main Burp jar. This is key to its design as it automatically goes through application states such as logged-in / logged-out. You can force the crawler to use a specific cookie. Create a session handling rule with an action "Set a specific cookie or parameter value" Fill in the cookie name and value there. If you do this, make sure not exclude any logout or signout links from your scope.

Liam, PortSwigger Agent | Last updated: Mar 27, 2019 11:39AM UTC

Matias, this method won't work with the new crawler. However, if you perform the authentication manually and use the "Set a specific cookie or parameter value" session handling rule, this should work. Please let us know if you need any further assistance.

Burp User | Last updated: Jul 09, 2019 06:55PM UTC

Is it possible to do that but with a cookie from previously obtained from a session handling rule?

Burp User | Last updated: Nov 26, 2019 07:23PM UTC

Where do we set a specific cookie or parameter value?

Burp User | Last updated: Nov 26, 2019 07:38PM UTC

I have set specific cookie parameter, but during crawling it doesn't send the specific cookie param. can't we use the specific cookies while crawling from Burp?

Burp User | Last updated: Nov 26, 2019 07:48PM UTC

I updated the existing Use Burp Cookie jar with the new rule : set specific cookies . this did not work. Later I added new session handling rule (and also added semicolon the JSESSIONID value if that matters) and it started sending the Cookies in the requests while crawling.

Liam, PortSwigger Agent | Last updated: Nov 27, 2019 11:49AM UTC

Jyothsna, which version of Burp are you using? Are you performing a manual crawl or using Burp's automated crawl function?

Phil | Last updated: May 24, 2023 09:57AM UTC

I would also love to be able to specify cookies to use when crawling and auditing an application. It was my understanding that if I add a session handling rule that reads "Set specified cookie" with a rule action to "Set the cookie: JSESSIONID=[REDATED]" and which has all URLs in scope, and I apply this rule to the Scanner, then the cookie I specified in the rule action would be added to the Scanner's requests, as is he case with e.g. the Repeater. However, this is not the case. It doesn't add anything whatsoever. So now I can only scan the target without authentication, which is obviously neither useful nor desirable. When I try to debug this behavior with the sessions tracer, all I receive is the overly verbose (/s) output "Vetoing rule: [name of the rule]". That is not a helpful error message. How/why/on what grounds is this being vetoed? Why does it work in the Repeater but not the Scanner? Basically: How can I actively scan an asset and provide a cookie for it?

Dominyque, PortSwigger Agent | Last updated: May 24, 2023 01:27PM UTC

Hi Phil, Thank you for your message. If you use the 'Fastest' crawl strategy (in the crawl optimization setting) when setting up your scans, then that uses cookies already in Burp's general cookie jar. So you can log in to the site using the embedded browser and then kick off the scan with this crawl configuration set to do what you want. There are some details for this scan configuration on the linked page: https://portswigger.net/burp/documentation/scanner/scan-configurations/crawl-options#crawl-optimization

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.