The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Probable bug in session handling macro

x0rcist | Last updated: Oct 03, 2015 03:55AM UTC

Hi I am using latest version of Burp and created a Macro to login to complex website. It requires at least four request to complete the login sequence. Below are the first three requests (sanitised) First Request GET /AppsLogin HTTP/1.1 Host: example.com Response HTTP/1.1 302 Moved Temporarily Location: https://example.com/AppsLocalLogin.jsp Set-Cookie: BIGipServerExternal_xxx_VS_7777_pool=506666924.20480.0000; path=/ Req2: GET /AppsLocalLogin.jsp HTTP/1.1 Host: example.com Cookie: BIGipServerExternal_xxx_VS_7777_pool=506666924.20480.0000 Resp2: HTTP/1.1 302 Moved Temporarily Location: https://example.com:443/ RF.jsp?function_id=288044 Set-Cookie: FINDEV=u95UgMTuhcHFIeh74j1uZbomqV; domain=.example.com; path=/; secure Request 3: GET /RF.jsp?function_id=288044 HTTP/1.1 Host: example.com Cookie: BIGipServerExternal_xxx_VS_7777_pool=506666924.20480.0000; FINDEV=CydLCLgwpqXJPRrSkYnXoAEhpB Under configure Macro Item, add cookies from session handling Jar is unchecked for all three request . Because If I keep it checked then cookies which will be received latter after authorisation like JsessionID are also get added to the request and result in invalid session. The Problem found is: In the request 3 The value set by FINDEV cookie in response 2 is: u95UgMTuhcHFIeh74j1uZbomqV however, as one can see in the Request3 FINDEV=CydLCLgwpqXJPRrSkYnXoAEhpB --- Which is strange and make no sense to me. Further, I have checked in the cookie Jar that the value of FINDEV is = u95UgMTuhcHFIeh74j1uZbomqV -- which is right one and being set by the application. However, burp is, no idea from where, is sending request with new value -- not received from application. Is it bug? Please note, I have cleared the cookie jar before testing the macro. I have only two macros first is this one and 2nd one is the default ie. Use cookies from Jar. Please advise

Burp User | Last updated: Oct 06, 2015 12:13PM UTC

No one, strange...

PortSwigger Agent | Last updated: Oct 07, 2015 03:00PM UTC