Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

IExtensionHelpers.makeHttpRequest() with cookies

August | Last updated: Nov 20, 2015 09:44AM UTC

It appears that IExtensionHelpers.makeHttpRequest(URL) does not include session cookies in the resulting request. How can I construct a GET request that includes the session cookies? Is there a helper method to get all the appropriate cookies for a particular domain/path?

PortSwigger Agent | Last updated: Nov 20, 2015 11:00AM UTC

The default session handling rule that adds cookies from the Burp cookie jar is only enabled for the Spider and Scanner tools. If you edit that rule and enable it for the Extender tool, then requests made via the API will be updated with cookies.

Burp User | Last updated: Nov 20, 2015 09:32PM UTC

Do you mean on the Options tab? I went to Options -> Session Handling Rules and added a rule to use the Cookie Jar in Extender. However, when I print the request to be issued by Extender I do not see that the Cookie Jar is actually adding cookies. Here is my code: byte[] request = helpers.buildHttpRequest(formUrl); if (DEBUG) callbacks.printOutput("Requesting token form:\n\n" + helpers.bytesToString(request)); byte[] response = callbacks.makeHttpRequest(formUrl.getHost(), 443, true, request); String responseString = helpers.bytesToString(response); The request that is printed in the debug output is this: Requesting token form: GET /page?parameter=value&return=true HTTP/1.1 Host: www.example.com Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close

PortSwigger Agent | Last updated: Nov 23, 2015 08:50AM UTC

Session handling rules are applied at the point a request is issued, not at the point you build it with buildHttpRequest(). If you chain an upstream instance of Burp, you will see that the cookies have been updated in the request that was sent (if appropriate).

Burp User | Last updated: Nov 24, 2015 06:03PM UTC