Burp Suite User Forum

Create new post

Probable bug in session handling macro

x0rcist | Last updated: Oct 03, 2015 03:55AM UTC

Hi I am using latest version of Burp and created a Macro to login to complex website. It requires at least four request to complete the login sequence. Below are the first three requests (sanitised) First Request GET /AppsLogin HTTP/1.1 Host: example.com Response HTTP/1.1 302 Moved Temporarily Location: https://example.com/AppsLocalLogin.jsp Set-Cookie: BIGipServerExternal_xxx_VS_7777_pool=506666924.20480.0000; path=/ Req2: GET /AppsLocalLogin.jsp HTTP/1.1 Host: example.com Cookie: BIGipServerExternal_xxx_VS_7777_pool=506666924.20480.0000 Resp2: HTTP/1.1 302 Moved Temporarily Location: https://example.com:443/ RF.jsp?function_id=288044 Set-Cookie: FINDEV=u95UgMTuhcHFIeh74j1uZbomqV; domain=.example.com; path=/; secure Request 3: GET /RF.jsp?function_id=288044 HTTP/1.1 Host: example.com Cookie: BIGipServerExternal_xxx_VS_7777_pool=506666924.20480.0000; FINDEV=CydLCLgwpqXJPRrSkYnXoAEhpB Under configure Macro Item, add cookies from session handling Jar is unchecked for all three request . Because If I keep it checked then cookies which will be received latter after authorisation like JsessionID are also get added to the request and result in invalid session. The Problem found is: In the request 3 The value set by FINDEV cookie in response 2 is: u95UgMTuhcHFIeh74j1uZbomqV however, as one can see in the Request3 FINDEV=CydLCLgwpqXJPRrSkYnXoAEhpB --- Which is strange and make no sense to me. Further, I have checked in the cookie Jar that the value of FINDEV is = u95UgMTuhcHFIeh74j1uZbomqV -- which is right one and being set by the application. However, burp is, no idea from where, is sending request with new value -- not received from application. Is it bug? Please note, I have cleared the cookie jar before testing the macro. I have only two macros first is this one and 2nd one is the default ie. Use cookies from Jar. Please advise

Burp User | Last updated: Oct 06, 2015 12:13PM UTC

No one, strange...

PortSwigger Agent | Last updated: Oct 07, 2015 03:00PM UTC

Sorry for the slow reply. It sounds like the problem is that you have unchecked the option to add cookies from the cookie jar when executing your macro. If this option is unchecked, then Burp leaves the original values that you configured in the macro requests, and does not update them. The solution is to re-enable this option, and Burp will do what the option says an update the request with the current cookies from the cookie jar. Regarding the problem with old JsessionID cookies being added at the start of the macro, there isn't a trivial way around this. We have a pending feature request to let a session handling action selectively clear certain items in the cookie jar. It might be possible to just configure the first item in the macro not to use the cookie jar, and avoid this problem.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.