Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

How can I use repeaters with the same cookie as the original request ?

Takashi | Last updated: Oct 10, 2017 11:20AM UTC

I have a question regarding using Cookie. The cookie to be set differs between the Web browser request(Original) and the Repeater request(Repeater). How can I use repeaters with the same cookie as the original request ? The following cookie is saved in Burp's Cookie jar. <Cookie jar> Cookie:SID=1234567890 Cookie:SECURESID=0987654321 Following are below request and response. [Original] <Request1> Target:http://aaa.bbb.ccc.ddd POST /xxxxx1.html HTTP/1.1 Cookie:SID=1234567890 <Response1> HTTP/1.1 302 Found Location:https://aaa.bbb.ccc.ddd/xxxxx2.html <Request2> Target:https://aaa.bbb.ccc.ddd GET /xxxxx2.html HTTP/1.1 Cookie:SID=1234567890 Cookie:SECURESID=0987654321 [Repeater] <Request1> Target:http://aaa.bbb.ccc.ddd POST /xxxxxxx1.html HTTP/1.1 Cookie:SID=1234567890 <Response1> HTTP/1.1 302 Found Location:https://aaa.bbb.ccc.ddd/xxxxx2.html <Request2> Target:https://aaa.bbb.ccc.ddd GET /xxxxx2.html HTTP/1.1

Liam, PortSwigger Agent | Last updated: Oct 10, 2017 12:40PM UTC

Have you unchecked the "Repeater" box in Burp's Session handling rules? This option can be located via Project options > Sessions > Session Handling Rules > Use cookies from Burp's cookie jar > Edit > Scope.

Burp User | Last updated: Oct 11, 2017 09:53AM UTC

Thank you. I checked the “Repeater” box in Burp’s Session handling rules, and I sent the same request as the Original. But I have two questions. <Question1> I have checked the "Scanner" in Burp's Session handling rules, but the "Scanner" did not use the cookie jar. What causes can be considered ? <Question2> When I unchecked the "Repeater" box in Burp's Session handling rules, in the following case, the cookie to be set the same between the Web browser request (Original) and the Repeater request (Repeater). What causes can be considered ? I think that handling of cookies is different due to a difference in protocols. <yesterday case> Request1 --> HTTP Request2 --> HTTPS <following> Request1 --> HTTP Request2 --> HTTP [Original] <Request1> Target:http://aaa.bbb.ccc.ddd POST /xxxx11.html HTTP/1.1 Cookie:SID=1234567890 Cookie:SECURESID=0987654321 <Response1> HTTP/1.1 302 Found Location:http://aaa.bbb.ccc.ddd/xxxx12.html <Request2> Target:http://aaa.bbb.ccc.ddd GET /xxxx12.html HTTP/1.1 Cookie:SID=1234567890 Cookie:SECURESID=0987654321 [Repeater] <Request1> Target:http://aaa.bbb.ccc.ddd POST /xxxx11.html HTTP/1.1 Cookie:SID=1234567890 Cookie:SECURESID=0987654321 <Response1> HTTP/1.1 302 Found Location:http://aaa.bbb.ccc.ddd/xxxx12.html <Request2> Target:http://aaa.bbb.ccc.ddd GET /xxxx12.html HTTP/1.1 Cookie:SID=1234567890 Cookie:SECURESID=0987654321

PortSwigger Agent | Last updated: Oct 11, 2017 09:55AM UTC

Hi Takashi, Thanks for following up. We're still struggling to understand exactly what you're trying to do. Your issues appear to be related to Session Handling Rules. You can use the Session Tracer to debug these. If you have defined your own session handling rules, things get more complicated, but my default there is just "User cookies from Burp's cookie jar". The scope of this is key (Project options > Sessions > User cookies from burp's cookie jar > Edit > Scope Be aware there are also options within Project options > Sessions > Cookie jar - although I usually leave those as default. In general, you should send requests to repeater, and they can be issues without automatic modification. If you're still having difficulty, can you please include some screenshots of what you're trying to do.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.