Burp Suite User Forum

Create new post

Notification alert in Burp when scans go out od session

Megha | Last updated: Nov 29, 2017 06:16AM UTC

This is regarding the session handling feature in Burp for web-applications. I was trying Burp scans for one of my applications and found that the session had timed-out and I got 302 redirection responses which redirects to login page. I referred the link: https://support.portswigger.net/customer/en/portal/articles/2363088-configuring-burp-s-session-handling-rules to configure the session handler for Burp and it worked. But the problem I see is that, unlike IBM Appscan which stops the scan and gives a notification on session-timeout, Burp does not give any such notification and the scans are all in “FINISHED” state irrespective of the response received. So, it would be good if the later versions of Burp have a notification mechanism for session-timeout during scans. Awaiting your response on this.

PortSwigger Agent | Last updated: Nov 29, 2017 09:15AM UTC

Hi Megha, Thanks for your message. I agree, it would be better to report a warning rather than just saying "finished". We've not really pursued this as the Session Handling Rule approach is better - you end up with a successful scan rather than a failed one. We've got some work planned on the Scanner engine in the coming months. We'll try to incorporate this into the work. Please let us know if you need any further assistance.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.