Burp community forum

Is there a way to suppress ASP.NET_SessionId cookie tests?

Jon | Last updated: Aug 26, 2015 08:45PM UTC

The developers of our application say they don't manipulate the ASP.NET_SessionID cookie (in fact, they couldn't do it even if they wanted to). It is a Microsoft .NET cookie out of their control. A bunch of errors are being flagged in our App because Burp is monkeying with this cookie ... We want to suppress Burp from running the tests that are manipulating ASP.NET_SessionID cookie to stop these errors from being flagged. Is there a way to do this? Thanks in advance!

PortSwigger Agent | Last updated: Aug 27, 2015 08:28AM UTC

By default, Burp Scanner does not perform any server-side injection tests on the ASP.NET_SessionID cookie. This cookie is included in the default list at Scanner / Options / Attack insertion points / Skip server-side injection tests. You can also add this cookie to the list called "Skip all tests for these parameters", and Burp will not submit any requests that modify this cookie.

You need to Log in to post a reply. Or register here, for free.