Burp Suite User Forum

Create new post

making repeater request with session handling rule changes request body

Jacek | Last updated: Dec 11, 2015 10:57AM UTC

I've set up a session handling rule to fetch csrf token and place valid value in request I wish to test. I've placed XSS code into one of the POST params. Unfortunatelly, after the request was issued and response received, entire XSS code was removed from the request, and only original request param value remained. It didn't happen when rule was disabled. Why did it happen? Cheers, Jacek

PortSwigger Agent | Last updated: Dec 11, 2015 12:23PM UTC

Is your XSS payload within a parameter that is being updated by your session handling rules? f so, then the rule is doing its normal thing and will override any value you have set. If not, then the rule shouldn't be modifying other parameters. If you think this is indeed happening, you can email us details of the request, and your rule, and we'll investigate.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.