Burp Suite User Forum

Login to post

session handling rule stops inserting cookies after a while

Russell | Last updated: Sep 14, 2022 05:32AM UTC

I had a crawl & audit scan running, that after some time seems to have gotten stuck issuing thousands of identical requests to a single path on the server. The site requires authentication for all access, and I'm using a session handling rule with a couple of "Set a specific cookie or parameter value" actions to insert the required cookies, with the rule scoped to Scanner and Repeater. The initial crawl and start of the audit ran fine, with requests correctly getting the session cookies inserted. But the audit phase is now just sending thousands (2545 when I paused it) of identical requests to the server *without* any included cookies, which just get a 302 response to the login system. If I pick one of these requests and Send to Repeater, then run it from there, it works fine (with the session cookies correctly inserted). In the session handling tracer, requests from Repeater show these events: Applying rule: hardcode aspnet session cookies Set parameter: .AspNetCore.Cookies=chunks-2 Set parameter: .AspNetCore.CookiesC1= ... the C1 cookie ... Set parameter: .AspNetCore.CookiesC2= ... the C2 cookie ... Issued request but requests from Scanner just show a single event: Applying rule: hardcode aspnet session cookies and don't get the cookies inserted. I've seen this a couple of times, with differently configured scans.

Hannah, PortSwigger Agent | Last updated: Sep 14, 2022 09:06AM UTC

Hi Could you drop us an email at support@portswigger.net with some screenshots of this behavior and your session handling rule configuration, please?

You need to Log in to post a reply. Or register here, for free.