Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Doesn't Burp Scanner use cookie jars?

maestro | Last updated: Apr 13, 2024 11:32PM UTC

Hello! I've encountered several issues during the crawling phase. I used the Burp Suite Chrome extension to record the login sequence and started crawling. When I check the live view, it seems like the login is successful, but a new login request is triggered with every button click. This seems unnecessary as I believe it should be possible to perform the crawling after a single login attempt rather than logging in again on every page. To address this, I utilized Burp Suite’s macro and session handling features to automatically update the cookie jar if a logout is detected. I thought using the "Use cookies from Burp's cookie jar" policy, which is set by default, alongside the scanner referencing the cookie jar for crawling, was the correct approach. I began crawling with the 'Crawl using my provided logins only' checked and set the Crawl strategy to 'most complete'. However, instead of using the stored PHPSESSID for example.com in the cookie jar, a new PHPSESSID for www.example.com is created and used for authentication during crawling. I am puzzled why two sets of cookies are being created: one for example.com (created earlier through session macro handling) and another for www.example.com (created anew during crawling without referencing the existing cookie jar). Is this a bug, or is there an explanation as to why Burp Suite creates and uses a new cookie for www.example.com instead of using the existing one for example.com? Waiting for your reply, Thank you!

maestro | Last updated: Apr 13, 2024 11:33PM UTC

For reference, we use the 2024.3.1 release version.

maestro | Last updated: Apr 14, 2024 07:05AM UTC

There seems to be a misunderstanding about the functionality of the Cookie Jar in relation to the Scanner. It appears that when the Scanner option is checked in the Cookie Jar settings, cookies are indeed stored. However, when only the Proxy is checked by default, cookies do not seem to be created. Aside from this, here's a summary of my queries: [1] The default session policy 'Use cookies from Burp's cookie jar' suggests that during crawling, the cookie jar should be referenced for cookies to perform scans. I am curious why this does not seem to happen. [2] Why doesn't the Burp Scanner use the cookies stored in the cookie jar after automatic login using macros and session handling policies? Is this method not possible?

Syed, PortSwigger Agent | Last updated: Apr 15, 2024 12:01PM UTC

Hi,

Thank you for your message!

The fact that Burp logs in multiple times during a crawl is expected behaviour when using a recorded login. Burp does use the cookie jar, however, not when you run a scan with the recorded login enabled. Burp logs in multiple times to find the best and optimal path to get a location in the app. We are already looking into alternatives where Burp only logs in once and not until the current session is expired. For now, if you are using recorded logins, you won't be able to use macros or cookie jar with it.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.