Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Java ViewState SSO burp scanner

chrom | Last updated: May 12, 2016 12:51PM UTC

Hello, I am facing an issue related to session handling while scanning an application. Specifically, the scanner uses an old viewState value that inherits from the spider session that results in de-authentication of the client. The application login is SSO and uses SAMLRequests for initial session creation: 1. Go to login page (A) and post the credentials. 2. The server verifies the validity of the credentials and provides a SAMLResponse string. 3. POST the SAMLResponse (that got from step 2) to page where the actual application is (B). 4. Application B Sets a JSESSIONID cookie and then the client uses this to communicate with the application Any ideas on what to do to scan the application successfully?

PortSwigger Agent | Last updated: May 13, 2016 08:27AM UTC

Are you able to use Burp's session handling rules to ensure your session is valid? You'll need to create a macro that performs the login sequence from a clean/new session, and obtain the required cookie and any other parameter values (such as the viewState) that are needed to make a valid "attack" request. If you can get a macro working to do this, you can then make a session handling rule to run the macro before each Scanner request to relevant URLs.

Burp User | Last updated: May 16, 2016 10:05PM UTC