Burp Suite User Forum

Login to post

Emptying cookie jar with new session

Andrej | Last updated: May 23, 2018 02:23PM UTC

When I have a name of the cookie which is changing with different sessions (cookie name is dynamic as well), Burp stores each new name in the cookie jar and then sends it within the requests. Within a session management, it would be great to have a checkbox. When the session is deemed invalid, Burp would clear the entire cookie jar. In such a case, all the new cookies would be valid (since the session management is performed afterwards) and there wouldn't be problems with dynamic values and having many different session cookies sent in the same time. Thanks, Andrej

PortSwigger Agent | Last updated: May 23, 2018 02:25PM UTC

Hi Andrej, I agree, this would be a useful feature. We will look at including this when we next work on Session Handling Rules. In the meantime, you can use the WAF Cookie Fetcher extension. This provides a Session Handling Action to empty the cookie jar. To use it, in the session handling action editor, select "After running the macro, invoke a Burp extension action handler" then choose "Empty cookie jar" Let me know how you get on.

Burp User | Last updated: May 25, 2018 01:53PM UTC

Thank you Paul, I was not aware of such extension. However, if I understand it correctly, when I would empty cookie jar *after* the session management macro, I would then loose all the session cookies. My use-case would need to do this action after out-of-session is detected, but before new session is triggered. Thanks again, Andrej

PortSwigger Agent | Last updated: May 25, 2018 01:58PM UTC

Hi Andrej, I don't if you tried this. If not, it would be worth trying, as it may work. Failing that, you would need to code a custom extension. It shouldn't be particularly difficult though. You could analyze the macro response using IExtensionHelpers.analyzeResponse and get all the parameter names that are cookies. You could then delete everything else from the cookie jar. Please let us know if you need any further assistance.

Burp User | Last updated: Mar 28, 2019 08:12PM UTC

The WAF Cookie Fetcher no longer works. What are the methods we can use to delete cookies from the cookie jar? I'm not able to find a method to remove a cookie from a cookie jar or even a method to update a cookie.

Liam, PortSwigger Agent | Last updated: Mar 29, 2019 11:31AM UTC

Michael, what issues are you having with the WAF Cookie Fetcher? Have you updated to the latest version of Burp?

Burp User | Last updated: Apr 17, 2019 06:27PM UTC

I'm using version 1.7.21. This is the issue https://github.com/bao7uo/waf-cookie-fetcher/issues/6

PortSwigger Agent | Last updated: Apr 18, 2019 08:17AM UTC

I just verified that the delete cookie function still works in Burp: - https://gist.github.com/pajswigger/1d528a8745c7427adabd5cd1eb21cb56 I've mentioned the issue to the extension author but not heard back beyond his original holding reply.

You need to Log in to post a reply. Or register here, for free.