Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

session handling rule stops inserting cookies after a while

Russell | Last updated: Sep 14, 2022 05:32AM UTC

I had a crawl & audit scan running, that after some time seems to have gotten stuck issuing thousands of identical requests to a single path on the server. The site requires authentication for all access, and I'm using a session handling rule with a couple of "Set a specific cookie or parameter value" actions to insert the required cookies, with the rule scoped to Scanner and Repeater. The initial crawl and start of the audit ran fine, with requests correctly getting the session cookies inserted. But the audit phase is now just sending thousands (2545 when I paused it) of identical requests to the server *without* any included cookies, which just get a 302 response to the login system. If I pick one of these requests and Send to Repeater, then run it from there, it works fine (with the session cookies correctly inserted). In the session handling tracer, requests from Repeater show these events: Applying rule: hardcode aspnet session cookies Set parameter: .AspNetCore.Cookies=chunks-2 Set parameter: .AspNetCore.CookiesC1= ... the C1 cookie ... Set parameter: .AspNetCore.CookiesC2= ... the C2 cookie ... Issued request but requests from Scanner just show a single event: Applying rule: hardcode aspnet session cookies and don't get the cookies inserted. I've seen this a couple of times, with differently configured scans.

Hannah, PortSwigger Agent | Last updated: Sep 14, 2022 09:06AM UTC