Research Academy Daily Swig
My account Customers About Blog Careers Legal Contact

Burp Suite User Forum

Login to post

Session handling extension not triggering when loaded using Project Settings

tom | Last updated: Jun 16, 2020 05:12PM UTC

I've created a session handling extension for some custom signin stuff I'm testing. I've created a session handling setting, assigned a blank macro and set it to trigger the handler after the macro finishes. When I configure this manually (or its loaded with an existing project file) this works perfectly and data is passed to the extension as expected. However, if I load these settings from a project file the extension never triggers. I can force it to work by opening the session handling settings and hitting "ok" again but the problem is that this is due to run on a headless scanning box so we wont be able to do that. Is this a known bug?

Hannah, PortSwigger Agent | Last updated: Jun 17, 2020 02:10PM UTC

Hi Are you loading setting from a project file (--project-file), or from a project options configuration file (--config-file) in your command-line arguments? Session handling rules are stored in the project options configurations, so should be exported to a JSON file and loaded in using --config-file. - https://portswigger.net/support/using-burp-suites-command-line-arguments

tom | Last updated: Jun 17, 2020 02:57PM UTC

I've tried: * "load settings stored with the project" at the initial opening dialog * Loading using the --config-file option * Loading in the main Burp UI in the "session handling rules" panel * Loading in the Burp UI through the "project->Project options" menu item In all cases the session rule appears in the rule list after loading, so I dont think thats the problem. If I trace the session handling I can see the session rule firing but the regex to find an invalid session does not match on the response (despite it being correct). I can fix this by opening the session rule, editing the "rule action" and hitting "ok" there (without making any changes), after this the handler works perfectly in both the trace view and every other place. This happens on v2020.5 as well as the previous version.

Hannah, PortSwigger Agent | Last updated: Jun 18, 2020 08:33AM UTC

Hi If you don't have the sessions tracer open, does the session handling rule work as expected? Would it be possible for you to send us a video of this behavior to support@portswigger.net?

You need to Log in to post a reply. Or register here, for free.