Burp Suite User Forum

Create new post

Extension-based active scans not running when Cookies contain too many insertion points (?)

Pieter | Last updated: Dec 27, 2023 09:52PM UTC

I'm noticing the extension scans are not running on requests that contain too many insertion points (?) in the cookies. Expected behaviour would be to stick to the "maximum defined insertion points" limit in the scan configuration. I tried to zoom in on the issue as closely as possible, my test scenario is outlined below. To reproduce, in Burp , add a new live task with the following settings: Scan details: - Live audit - [x] Proxy - [x] Suite scope Scan configuration: Select from library > audit checks - extensions only Ensure you have an extension installed that contains an active scan. Now run: ``` curl -i https://www.google.com/do/not/try -H 'Cookie: x=y=0&x=y&x=y&x=y&x=y&x=y&x=y&x=y&x=y&x=false; foobar=eyJvcHRPdXQiOmZhbHNlLCJzZXNzaW9uSWQiOm51bGwsImxhc3RFdmVudFRpbWUiOm51bGwsImV2ZW50SWQiOjAsImlkZW50aWZ5SWQiOjAsInNlcXVlbmNlTnVtYmVyIjowfQ==;z=eyJkZXZpY2VJZCI6IngiLCJ1c2VySWQiOiJ5Iiwib3B0T3V0IjpmYWxzZSwic2Vzc2lvbklkIjoxLCJsYXN0RXZlbnRUaW1lIjoxLCJldmVudElkIjoxLCJpZGVudGlmeUlkIjoxLCJzZXF1ZW5jZU51bWJlciI6MX0=;' -x localhost:8080 -iks > /dev/null ``` In Logger, note that the Extension does not send any additional requests Now run the following (this only differs by one character, x=y10 instead of x=y=0): ``` curl -i https://www.google.com/do/not/try -H 'Cookie: x=y10&x=y&x=y&x=y&x=y&x=y&x=y&x=y&x=y&x=false; foobar=eyJvcHRPdXQiOmZhbHNlLCJzZXNzaW9uSWQiOm51bGwsImxhc3RFdmVudFRpbWUiOm51bGwsImV2ZW50SWQiOjAsImlkZW50aWZ5SWQiOjAsInNlcXVlbmNlTnVtYmVyIjowfQ==;z=eyJkZXZpY2VJZCI6IngiLCJ1c2VySWQiOiJ5Iiwib3B0T3V0IjpmYWxzZSwic2Vzc2lvbklkIjoxLCJsYXN0RXZlbnRUaW1lIjoxLCJldmVudElkIjoxLCJpZGVudGlmeUlkIjoxLCJzZXF1ZW5jZU51bWJlciI6MX0=;' -x localhost:8080 -iks > /dev/null ``` Note that the extension is now firing its additional scan requests. I'm using Burp v2023.11.1.3 on Windows

Dominyque, PortSwigger Agent | Last updated: Dec 28, 2023 10:32AM UTC

Hi Pieter Thank you for reporting this. We will investigate and attempt to replicate the issue and will update this thread once we have done so.

Hannah, PortSwigger Agent | Last updated: Jan 02, 2024 12:52PM UTC

Hi Thank you for your patience. We've tested this out with extension and BCheck-provided scan checks. In both cases, the "x=y=0" request resulted in additional insertion points and more requests sent. Could you provide some more details on the issue you are having? If you can, it would be useful if you could drop us an email at support@portswigger.net with a screen recording of your replication steps, so that we can ensure that we are replicating this issue as closely to you as possible.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.