Burp community forum

Session handling in Burp extensions

Jan | Last updated: Jan 25, 2016 01:18PM UTC

Hi, I am currently implementing a specific attack with a Burp extension. Before I start the attack, I need to delete all cookies for the target domain. The attack consists of several HTTP requests. For these requests I need a session handling. I have been using Burps cookie jar by enabling the cookie jar for extensions (under Options->Sessions). I delete the cookies for the target domain by iterating through the cookie jar (callbacks.getCookieJarContents()) and for all cookies that apply to the target domain I do the following: ICookie cookieToBeDeleted = new Cookie(cookie.getDomain(), cookie.getName(), null, cookie.getExpiration()); callbacks.updateCookieJar(cookieToBeDeleted); According to the API, this should delete the cookie with this name. However, the cookies are not deleted from the cookie jar. Do I use the API not correctly? Is there an option to have a separate cookie jar only for the extender? This is the full code of the function that should delete the cookies in the cookie jar for a domain: private void resetCookiesForDomain(String domain) { List<ICookie> cookies = callbacks.getCookieJarContents(); for(ICookie cookie : cookies) { if(cookie.getDomain().contentEquals(domain)) { ICookie cookieToBeDeleted = new Cookie(cookie.getDomain(), cookie.getName(), null, cookie.getExpiration()); callbacks.updateCookieJar(cookieToBeDeleted); } } } Best Regards Jan

PortSwigger Agent | Last updated: Jan 25, 2016 04:54PM UTC

Thanks for this report. We've reproduced the problem and will get this fixed shortly.

PortSwigger Agent | Last updated: Feb 12, 2016 03:31PM UTC

In today's release of Burp (1/6/37) we've fixed this problem, so that cookies are correctly deleted from the cookie jar in this situation. Thanks again for your feedback - much appreciated.

You need to Log in to post a reply. Or register here, for free.