Burp Suite User Forum

Login to post

Cookie jar saves cookie with empty path and generic domain

Jull | Last updated: Jan 17, 2023 08:22PM UTC

Hello, Using Burp I noticed that if I login on a weboage while the proxy is on I get the cookie with all fields complete like this: DOMAIN test.example.com PATH /test NAME SESSIONID VALUE ADCCBB00235682W1 EXPIRE 01/08/2023 But if I switch on the proxy after I am already logged in the application the situation is the following: DOMAIN *.example.com PATH NAME SESSIONID VALUE ADCCBB00235682W1 EXPIRE Cookie domain becomes generic and path with expiration are empty. While scanning I haven't met any issues, the cookie just doesn't expire and works for all paths and all subdomains while the first cookie works only for test.example.com and under /test path. I guess it doesn't get all fields populated because in first scenario cookie is received from the response with the header: Set-Cookie: SESSION=ADCCBB00235682W1; PATH=/test; DOMAIN=test.example.com:+; expire=01/08/2023 In the second scenario instead the cookie is update in the cookie jar from the request (since I am already logged in) and the request is missing the path, expire and domain. As I said I didn't have any problems scanning an appiccicaton using a cookie intercepted from a request and not a response, but I was wondering if it is a bad practice, I usually let BURP bypass the login because usually I don't scan the login http requests to avoid lock account problems etc.. and usually I forget to delete them from consolidate items. Thank you

Hannah, PortSwigger Agent | Last updated: Jan 19, 2023 05:02PM UTC

Hi Do you find that your stored cookies get updated in your cookie jar? Depending on the scan configuration, it is very likely that the Scanner is not using the cookies from the cookie jar, and is handling its own authentication through the application login/recorded login functionality instead.

Jull | Last updated: Jan 19, 2023 07:44PM UTC

Thank you for your answer, I don't use the login/recorded functionality, what I do is the following: Get on the login web page and login myself through my browser (Firefox, Chrome etc..), then after I've logged in I set the proxy on my browser and burp updates the cookie jar (since I am already logged in the application, burp updates the cookie jar usinflg the HTTP Request and no the HTTP response because cookie are already set on my browser). All works great, if I launch the scanner burp uses the correct cookies. But going in cookie jar to view the cookies I see the path value is empty, doesnt have the "/", the expire date is empty and the domain cookie value on the browser is test.example.com while on burp is *.example.com. This happens because if I login in the web application while burp is already on intercepting, it updates cookie jar based on the HTTP response and since the HTTP response contains the path, domain and expire values about the the cookie, going in cookie jar I can see all the info. Intercepting the request after I logged in the web application, burp catches the cookie from the HTTP requests and since the HTTP requests doesn't contain domain value, path and expire but just cookie name and its value (eg. Session=ASHHJJJJAAA), burp leaves the path and expire date of the cookie inside the cookie jar blank and set the scope domain using the wildcard. I just would like to know if it is a problem to use a cookie which its set in the cookie jar through an HTTP request and no response. Thank you

Jull | Last updated: Jan 21, 2023 12:22PM UTC

So basically this is what happens: 1) I go to www.example.com/login with my browser (Chrome, Firefox etc..); 2) I insert username and password and authenticate inside the application; 3) I go on the proxy settings of my browser and enable the proxy to let burp intercept requests (127.0.0.1:8080); 4) I start to navigate the application and burp inspects the http request where is inside there is the cookie header GET /account HTTP/1.1 Host: www.example.com Cookie: SESSIONID=ALREADY-LOGGED-IN 5) Burp add the cookie inside the cookie jar. After all this process if I go to cookie jar options and visualize the cookie just added I notice that the expire-date value is bank, the path value too and a domain is generic. On my browser the cookie looks like this: "DOMAIN=www.example.com; PATH=/; SESSIONID=ALREADY-LOGGED-IN; expire=12/12/2023" Inside cookie jar: "DOMAIN=*.example.com; PATH=; SESSIONID=ALREADY-LOGGED-IN expire=" Is this the expected behaviour because the cookie was added inside the cookie jar by an http requests and not and http response or is this a bug?

Hannah, PortSwigger Agent | Last updated: Jan 24, 2023 02:53PM UTC

Hi Yes, this is expected behavior when the cookie has been retrieved from the request rather than from a response.

You need to Log in to post a reply. Or register here, for free.