Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

How can I use repeaters with the same cookie as the original request ?

Takashi | Last updated: Oct 10, 2017 11:20AM UTC

I have a question regarding using Cookie. The cookie to be set differs between the Web browser request(Original) and the Repeater request(Repeater). How can I use repeaters with the same cookie as the original request ? The following cookie is saved in Burp's Cookie jar. <Cookie jar> Cookie:SID=1234567890 Cookie:SECURESID=0987654321 Following are below request and response. [Original] <Request1> Target:http://aaa.bbb.ccc.ddd POST /xxxxx1.html HTTP/1.1 Cookie:SID=1234567890 <Response1> HTTP/1.1 302 Found Location:https://aaa.bbb.ccc.ddd/xxxxx2.html <Request2> Target:https://aaa.bbb.ccc.ddd GET /xxxxx2.html HTTP/1.1 Cookie:SID=1234567890 Cookie:SECURESID=0987654321 [Repeater] <Request1> Target:http://aaa.bbb.ccc.ddd POST /xxxxxxx1.html HTTP/1.1 Cookie:SID=1234567890 <Response1> HTTP/1.1 302 Found Location:https://aaa.bbb.ccc.ddd/xxxxx2.html <Request2> Target:https://aaa.bbb.ccc.ddd GET /xxxxx2.html HTTP/1.1

Liam, PortSwigger Agent | Last updated: Oct 10, 2017 12:40PM UTC

Have you unchecked the "Repeater" box in Burp's Session handling rules? This option can be located via Project options > Sessions > Session Handling Rules > Use cookies from Burp's cookie jar > Edit > Scope.

Burp User | Last updated: Oct 11, 2017 09:53AM UTC

Thank you. I checked the “Repeater” box in Burp’s Session handling rules, and I sent the same request as the Original. But I have two questions. <Question1> I have checked the "Scanner" in Burp's Session handling rules, but the "Scanner" did not use the cookie jar. What causes can be considered ? <Question2> When I unchecked the "Repeater" box in Burp's Session handling rules, in the following case, the cookie to be set the same between the Web browser request (Original) and the Repeater request (Repeater). What causes can be considered ? I think that handling of cookies is different due to a difference in protocols. <yesterday case> Request1 --> HTTP Request2 --> HTTPS <following> Request1 --> HTTP Request2 --> HTTP [Original] <Request1> Target:http://aaa.bbb.ccc.ddd POST /xxxx11.html HTTP/1.1 Cookie:SID=1234567890 Cookie:SECURESID=0987654321 <Response1> HTTP/1.1 302 Found Location:http://aaa.bbb.ccc.ddd/xxxx12.html <Request2> Target:http://aaa.bbb.ccc.ddd GET /xxxx12.html HTTP/1.1 Cookie:SID=1234567890 Cookie:SECURESID=0987654321 [Repeater] <Request1> Target:http://aaa.bbb.ccc.ddd POST /xxxx11.html HTTP/1.1 Cookie:SID=1234567890 Cookie:SECURESID=0987654321 <Response1> HTTP/1.1 302 Found Location:http://aaa.bbb.ccc.ddd/xxxx12.html <Request2> Target:http://aaa.bbb.ccc.ddd GET /xxxx12.html HTTP/1.1 Cookie:SID=1234567890 Cookie:SECURESID=0987654321

PortSwigger Agent | Last updated: Oct 11, 2017 09:55AM UTC