Research Academy Daily Swig
My account Customers About Blog Careers Legal Contact

Burp Suite User Forum

Login to post

Update All Additional Requests with Parameters Matched from Final Macro Response

Matt | Last updated: Nov 18, 2020 10:38PM UTC

Scenario: All logged in requests require a CSRF token that is set on login. I am attempting to use the scanner to scan the application. I send a request to the active scanner that contains a valid CSRF token. Once the application times out or the session is invalidated my login macro is triggered by the "Check session is valid" session handling rule. The rule logs me in and updates the current request with a valid CSRF token and the application successfully responds. Problem: The base request that was originally sent to the active scanner now contains an outdated CSRF token which triggers my login macro for every single additional request sent by the scanner. This drastically slows down the scan. How Do I: I am trying to make it so that every additional request sent by the scanner is updated with the CSRF token extracted at the end of my login macro. Currently the only option is to "Update current request with parameters match from final macro response". Is there a way to update it for every additional request? Possible solution: Update the session handling rule "Set a specific parameter or cookie value" with the value from the final macro but I am unsure of how to do that.

Hannah, PortSwigger Agent | Last updated: Nov 19, 2020 09:28AM UTC

Hi. It will likely be easier for you to use an extension for this. "Authentication Token Obtain and Replace" may be suitable, and we have a few other similar ones available on the BApp Store. You can check out our full list in Burp (Extender > BApp Store) or here: https://portswigger.net/bappstore

You need to Log in to post a reply. Or register here, for free.