Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Macro doesn't get updated with Session Handling Rule

Mitchell | Last updated: Mar 20, 2020 01:27AM UTC

I have an application that I'm testing which requires 2FA as part of it's 2 step sign in process. Once the user has logged in, they are granted a new access token on each request until their session expires. While using the burp scanner feature, the user is frequently logged out and so I've written custom extensions to re-authenticate their session. The Project Options are set up as follows: "Session Handling rule" for 2FA: 1.) Burp's existing Google 2FA Authenticator app (action: invoke a burp extension (this 2FA code prepopulates the param field in the log in request)) "Session Handling rule" for my login extension: 1.) set auth-token in header if valid or exists in Burp cookie jar (action: invoke a custom burp extension) 2.) if session is not valid, login with email, password, 2FA code (action: check session is valid) a.) "Issue current request" b.) checks for response validity c.) "if session is invalid, perform the action below:" (run a macro (performs the log in requests)) d.) update current request etc e.) "After running the macro, invoke a Burp extension" (action: create cookies, then set auth-token in header For the most part, everything seems to work. My problem is that the macro that is run in 2.c) doesn't get updated with the 2FA code from my other, "Session handling rule". The "Tools Scope" for this, "Session handling rule editor" has, "target", "scanner", "repeater", "intruder", "sequencer", and "extender" selected. *The 2FA prepopulation works fine when isolating the extension to, "Repeater". To get this working should, "Macro" be a checkbox in the, "Tools Scope" as well? If not how can I resolve this issue? Thanks

Mitchell | Last updated: Mar 20, 2020 07:03PM UTC

TLDR: "Macros" in Project Options > Sessions don't run, "Session handling Rules". What can I do under the hood to achieve this?

Uthman, PortSwigger Agent | Last updated: Mar 24, 2020 11:51AM UTC

Hi Mitchell, Macros in Burp are not subject to session handling rules. The best way to achieve your goal is to have all the actions self-contained within an extension, and then invoke this (as a session handling rule) on an invalid session.

Mitchell | Last updated: Mar 24, 2020 06:21PM UTC

Hi Uthman, Self-containing all the actions in a single extension is something I experimented with in the past, but had some issues. In the performAction method I need to make a login request that will then update the current_request argument. From what I've gathered, this separate request can only be done using a macro (by extracting macro_items). This separate request needs to add my 2FA code, but this circles back to my original problem of macros not being subject to session handling rules. Is there a way to manipulate the request of the macro_items argument within performAction method? Mitchell

Uthman, PortSwigger Agent | Last updated: Mar 25, 2020 03:17PM UTC

Hi Mitchell, You can manipulate the request of macro_items. It is an array of IHttpRequestResponse so you can set the Request and Response using the Extender API interface provided. You may also be able to use the makeHttpRequest function within IBurpExtenderCallbacks to make your separate request.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.