Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Session handling in Burp extensions

Jan | Last updated: Jan 25, 2016 01:18PM UTC

Hi, I am currently implementing a specific attack with a Burp extension. Before I start the attack, I need to delete all cookies for the target domain. The attack consists of several HTTP requests. For these requests I need a session handling. I have been using Burps cookie jar by enabling the cookie jar for extensions (under Options->Sessions). I delete the cookies for the target domain by iterating through the cookie jar (callbacks.getCookieJarContents()) and for all cookies that apply to the target domain I do the following: ICookie cookieToBeDeleted = new Cookie(cookie.getDomain(), cookie.getName(), null, cookie.getExpiration()); callbacks.updateCookieJar(cookieToBeDeleted); According to the API, this should delete the cookie with this name. However, the cookies are not deleted from the cookie jar. Do I use the API not correctly? Is there an option to have a separate cookie jar only for the extender? This is the full code of the function that should delete the cookies in the cookie jar for a domain: private void resetCookiesForDomain(String domain) { List<ICookie> cookies = callbacks.getCookieJarContents(); for(ICookie cookie : cookies) { if(cookie.getDomain().contentEquals(domain)) { ICookie cookieToBeDeleted = new Cookie(cookie.getDomain(), cookie.getName(), null, cookie.getExpiration()); callbacks.updateCookieJar(cookieToBeDeleted); } } } Best Regards Jan

PortSwigger Agent | Last updated: Jan 25, 2016 04:54PM UTC

Thanks for this report. We've reproduced the problem and will get this fixed shortly.

PortSwigger Agent | Last updated: Feb 12, 2016 03:31PM UTC