Burp Suite User Forum

Login to post

Session management & redirection & Active scan

Andrej | Last updated: Sep 25, 2017 11:18AM UTC

I have a platform which redirects user to /login page via location header when you are trying to access anything which requires authentication. I have session management set up, with session handling rules to look for expression in locations "HTTP headers", "Response body", as well as URL of redirection target with regexp "location: https:\/\/someTestedDomain\.test\/login". The regular expression works, and I've tried it on multiple occurrences. I have match indicates Invalid session, and if session is invalid, session establishing macro is fired. Also, when I ran Active scan, I have "Follow redirection where necessary" checked as I do want to follow redirection during the active scan. This is where I experience problem -> when I open Session Tracer , I can see that the request has been fired, but unfortunately I see "redirection followed" to /login, because I have that checked in the Active scan; and the session check is applied only to the response which I receive, which is 200:ok response with the login page. Which in my opinion is undesirable, since the first request should have been checked for session validity and it should have said "invalid session" and perform login from there. I know there are additional settings in Project Options -> HTTP -> Redirections, but if I would change those, I would get many false negatives because the site uses redirections quite heavily, which is also why I'm reluctant to simply turn of this function in Active scan settings. Is it possible to address this issue, or introduce additional setting which could be tweaked so that the redirections would be followed during Active scan; however session would be checked on the 1st, or even all responses?

PortSwigger Agent | Last updated: Sep 25, 2017 12:28PM UTC

Hi Andrej, Thanks for your message. If you remove "location: " from your regex, and just search for "somedomain.com/login" in "URL of redirection target" - this should do what you need, without you having to change redirection handling. Let me know how you get on. Most things are possible with session handling rules, it can just be a bit tricky.

Burp User | Last updated: Sep 29, 2017 08:25AM UTC

Hi, thanks for the reply, unfortunately I can see still it failing when I have follow redirection enabled. My current setup is: Location(s): "URL of retirection target" Look for expression: "someDomain\.domain\.com\/(login|getin).*" (without double-quotes) Match type: Regular expression Match indicates: Invalid session Upon opening Session Tracer, I can still see the request with attack payload from Active scan is fired ("Issue current request to validate session"); in the first response I can see "location: https://someDomain.domain.com/login?some=parameters&...", and then I can see "Redirection followed" to this login page, upon which I get "Session is Valid". Where am I doing the mistake? Should I specify protocol https:\/\/ in my regexp as well? Or start the entire regexp with ".*", or remove it from the end, ...? Many thanks

PortSwigger Agent | Last updated: Sep 29, 2017 08:44AM UTC

Hi Andrej, Here's a couple of ideas: put a .* at the beginning of your regex. Also, make sure the match type is set to regular expression, not literal string. If that doesn't work, can you send some screenshots please - of both your configuration, and an example redirect response.

Burp User | Last updated: Oct 05, 2017 08:13AM UTC

Thanks Paul, because it was still not working I sent all the configuration over email, and received case number 152465

You need to Log in to post a reply. Or register here, for free.