Burp Suite User Forum

Login to post

Support Multiple Responses for Out of Session in Session Handler

Tony | Last updated: Jun 07, 2022 03:33PM UTC

The Session Handler provides 3 options to identify in the response that the session has terminated: HTTP Headers, Response Body, and/or URL Redirect. However, some large applications provide various responses indicating the session has been terminated. I recently tested a large web app that included 3 separate responses for a terminated session depending upon where in the app that was being scanned (e.g., APIs vs HTLM static content). I spent a lot of time creating a regex value with all 3 options (HTTP Headers, Response Body, and URL Redirect) to include all 3 response types, which wasn't clear if it actually worked correctly. Would it be possible to identify multiple responses specifying the response type to indicate out of session? This would make this process much easier for the tester and spend more time on testing than troubleshooting the regex during a scan. That may sound "lazy" with not improving my regex skills, however, we are time limited on our app pentests, so this would be helpful in clearly stating the responses that indicate a terminated session and not spending time on troubleshooting and rescanning.

Michelle, PortSwigger Agent | Last updated: Jun 08, 2022 12:35PM UTC

Thanks for your message. We've passed on your feedback to the team and linked this thread to the request so we can post back here with any updates. If you're happy to share examples of the types of regular expression you find yourself needing to use we can add these to the detail of the feature request to help provide more background to your request. If you'd rather not share them publicly on the forum, please feel free to email them to support@portswiger.net and reference this post.

You need to Log in to post a reply. Or register here, for free.