Burp Suite User Forum

Create new post

IExtensionHelpers.makeHttpRequest() with cookies

August | Last updated: Nov 20, 2015 09:44AM UTC

It appears that IExtensionHelpers.makeHttpRequest(URL) does not include session cookies in the resulting request. How can I construct a GET request that includes the session cookies? Is there a helper method to get all the appropriate cookies for a particular domain/path?

PortSwigger Agent | Last updated: Nov 20, 2015 11:00AM UTC

The default session handling rule that adds cookies from the Burp cookie jar is only enabled for the Spider and Scanner tools. If you edit that rule and enable it for the Extender tool, then requests made via the API will be updated with cookies.

Burp User | Last updated: Nov 20, 2015 09:32PM UTC

Do you mean on the Options tab? I went to Options -> Session Handling Rules and added a rule to use the Cookie Jar in Extender. However, when I print the request to be issued by Extender I do not see that the Cookie Jar is actually adding cookies. Here is my code: byte[] request = helpers.buildHttpRequest(formUrl); if (DEBUG) callbacks.printOutput("Requesting token form:\n\n" + helpers.bytesToString(request)); byte[] response = callbacks.makeHttpRequest(formUrl.getHost(), 443, true, request); String responseString = helpers.bytesToString(response); The request that is printed in the debug output is this: Requesting token form: GET /page?parameter=value&return=true HTTP/1.1 Host: www.example.com Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close

PortSwigger Agent | Last updated: Nov 23, 2015 08:50AM UTC

Session handling rules are applied at the point a request is issued, not at the point you build it with buildHttpRequest(). If you chain an upstream instance of Burp, you will see that the cookies have been updated in the request that was sent (if appropriate).

Burp User | Last updated: Nov 24, 2015 06:03PM UTC

Thanks. The Logger++ extension showed that the final request did in fact include the proper cookies.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.