Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Custom scan configuration (cookie value) not working in Enterprise

Drew | Last updated: Apr 02, 2019 02:56PM UTC

I've seen the messages on here about how to set a custom cookie value in Burp Enterprise by setting up a session rule in burp pro and exporting it's JSON to upload. I've done this, resulting in an entry in the json that looks like: "actions":[ { "add_as":"cookie", "add_if_not_present":true, "enabled":true, "name":"TOKEN", "type":"set_param", "value":"TOKENVALUE_XYZ" } ], "description":"Session Token", "enabled":true, "exclude_from_scope":[], "include_in_scope":[], "named_params":[], "restrict_scope_to_named_params":false, "tools_scope":[ "Target", "Spider", "Scanner", "Intruder", "Repeater", "Sequencer" ], I import this as a scan configuration in burp enterprise and then run my scan with that configuration added. Now I can't actually see a list of requests made by the scanner, which makes debugging this extremely hard, but if I go into findings I can see a few requests here and there. None of them have this cookie set, and I don't know why. The application I'm attempting to test authenticated has a complex javascript login process that doesn't work in enterprise, no surprise. I don't mind importing a specific cookie value to make this work, but I really need some documentation on how to get this workaround to actually work. Other weirdness I noticed in the process, if this is my only way to set a temporary cookie value for testing, the list of scan configurations is going to get unwieldy fast. You can't update a scan configuration by uploading a new version, and I can't seem to delete them. So every-time you need a new cookie value explicitly set your list will grow by one. I think we have about a month left on our enterprise eval period, any chance there could be some documentation or fixes to address this in the next few weeks?

PortSwigger Agent | Last updated: Apr 02, 2019 03:05PM UTC

Drew - apologies that you've had issues with this. Can you please send us the full JSON for the scan configuration. I suspect the issue may be related to scoping, and the JSON should confirm. Understand the issues with scan configs becoming unwieldy. That is on our plan to fix. Obviously will be less of an issue once JavaScript crawling is working.

PortSwigger Agent | Last updated: Apr 03, 2019 08:09AM UTC

Thanks for getting back to me. Please try using "Include all URLs" as the URL Scope - instead of "Use suit scope" as you have currently. I know you set the scope in your config file but I think Enterprise overrides this. We do have a number of users successfully using this configuration.

Burp User | Last updated: Apr 03, 2019 02:56PM UTC

Thanks Paul, I appreciate any guidance on how to get this working. I unfortunately can't post the entire .json file as it exceeds the maximum length of the Answer field. I've attached what I believe are the relevant sections (with sensitive info removed). If you need additional sections, please let me know. Thanks! { "project_options":{ "connections":{ "hostname_resolution":[], "out_of_scope_requests":{ "advanced_mode":false, "drop_all_out_of_scope":false, "exclude":[], "include":[], "scope_option":"suite" }, "platform_authentication":{ "credentials":[], "do_platform_authentication":true, "prompt_on_authentication_failure":false, "use_user_options":true }, "socks_proxy":{ "dns_over_socks":false, "host":"", "password":"", "port":0, "use_proxy":false, "use_user_options":true, "username":"" }, .... .... "session_handling_rules":{ "rules":[ { "actions":[ { "enabled":true, "match_cookies":"all_except", "type":"use_cookies" } ], "description":"Use cookies from Burp's cookie jar", "enabled":false, "exclude_from_scope":[], "include_in_scope":[], "named_params":[], "restrict_scope_to_named_params":false, "tools_scope":[ "Spider", "Scanner" ], "url_scope":"all", "url_scope_advanced_mode":false }, { "actions":[ { "add_as":"cookie", "add_if_not_present":true, "enabled":true, "name":"TOKEN", "type":"set_param", "value":"TOKENVALUE_XYZ" } ], "description":"Session Token", "enabled":true, "exclude_from_scope":[], "include_in_scope":[], "named_params":[], "restrict_scope_to_named_params":false, "tools_scope":[ "Target", "Spider", "Scanner", "Intruder", "Repeater", "Sequencer" ], "url_scope":"suite", "url_scope_advanced_mode":false } ] } }, .... .... "scope":{ "advanced_mode":false, "exclude":[], "include":[ { "enabled":true, "prefix":"https://subdomain.domain.com/" } ] } } }

Burp User | Last updated: Apr 03, 2019 06:13PM UTC

That did it, thanks Paul!

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.