Burp Suite User Forum

Login to post

Update Header in Session Handling/Macros

Conor | Last updated: Jan 05, 2016 06:51PM UTC

Hello, I'm working on an application that uses CSRF token for the login forms. The token is a hidden value in the webpage: E.g. <input name="CSRFToken" type="hidden" value="ZIlN2m8eqXX4mWOJr3wkNLGeobE2oUqGBaeKpYWaJe1yK7oQKRx8H2A-8X6rqiMIM7nQNwGPI1uryEA-3wWh5iii_kbq-Pkfp-z9uR5eGnxRCOkE0" /> The token is then applied to the subsequent login as an HTML Header: ... Content-Type: application/json; charset=utf-8 CSRFToken: 0f5K-xylZwaz3jY4hVfMleNQ22Plbd0GD5kW3980JxANf_qG77kKW0FHtrOkRjdNGdhjF4tjQyAOppeZB8IgpuWqJJsK12xuzlFE3oS_mYITKeUI0 X-Requested-With: XMLHttpRequest ... And following a valid login, you receive a session cookie. Currently, from what I understand, the session handling and macros only apply to cookies and parameters. Would it be possible to have these rules apply to other areas of the request? I'm currently attempting to write an Extension to handle this functionality, but it seems viable enough to be a stock option. Thanks, Conor

PortSwigger Agent | Last updated: Jan 06, 2016 09:25AM UTC

Currently, Burp's native session handling rules don't operate on request headers. We do have this feature request captured in our backlog, but we can't currently promise an ETA for the feature, sorry.

Burp User | Last updated: Jan 06, 2016 04:49PM UTC

Understandable. I was able to write the extension code quite easily, but I've run into another hurdle imposed by this, wondering if you can think of any solutions. So, I can retrieve the above value from the macro Response, and add it to a headers array. The issue, is that the request requiring the header is not in the list of requests handed to "performAction()". i.e.: currentRequest: the request in the Scanner queue that "failed session validity" macroItems[0]: the request used to grab CSRF token I need to append the CSRF token to a third request, along with a username and password to authenticate, and subsequently update the cookiejar with a valid session token. How can I access a "stored" request to modify then send to authenticate? The best solution I see would be if Extensions can access macro requests without them having to be initially sent. Options I can see: 1. Static request stored in extension code: Bad, as I don't want to have to edit the code, then reload the extension everytime I need to change something 2. Send login request macro before running extension: Solves my problem, but more expensive than I like, as I don't actually need to send this request yet 3. Code text/request input into my extension: Time consuming, this tool is just for me and a coworker, don't need to waste time on pretty UI code 4. Send request tooltip: Is it possible to add a drop down option to "Send Request to MyExtension" like you do Repeater/Intruder? I'll probably go with option 2 if all else fails, but I want to see if you have any better ideas. Thanks!

PortSwigger Agent | Last updated: Jan 07, 2016 09:02AM UTC

Ideally, as you say, you would include the authentication request within the macro and your extension would be able to modify the macro request before it is sent. One way to possibly achieve this would be to register an IHttpListener, which will give your code access to all requests made by all tools. You could use this to track the latest token observed in a response, and to update the relevant header with this value in relevant requests. This approach might mean that you just need to execute your recovery macro when the session is invalid, and let your IHttpListener fix the header when the macro is run. Then you might not need the custom session handling action at all. Regarding "Send to my extension" items on the context menu, you can do this by registering an IContextMenuFactory. Burp will call into your extension when the context menu is invoked, with details of the invocation event, and you can return any context menu items that are applicable for that invocation: https://portswigger.net/burp/extender/api/burp/IContextMenuFactory.html Hope that helps.

Burp User | Last updated: Jun 05, 2018 11:11AM UTC

Any progress on this feature request? I know header manipulation can be done with a plugin, but I think this should be default functionality to make life easier :) Searching google shows this question has been requested several times over the years, for example: https://support.portswigger.net/customer/portal/questions/11698880-how-do-i-change-a-http-header-value-for-active-scan-with-stored-state-file-.

Burp User | Last updated: Dec 07, 2018 09:49AM UTC

@Wouter, could you specify which plugin do you use to make this happen? I tried different extensions and none are working fine for me. Add custom header finally worked when the request did not have the x-csrf header at all. for the requests where the header was present, it was not deleting and adding the new value.

Ryan | Last updated: Apr 07, 2021 05:21PM UTC

Hoping to bump this feature request. I encounter this issue frequently.

Ben, PortSwigger Agent | Last updated: Apr 08, 2021 12:52PM UTC

Hi Ryan, This feature request is still in our backlog, i am afraid. I will record your interest against this so that we can accurately monitor the demand for this functionality.

Charles | Last updated: Apr 09, 2021 09:30PM UTC

+1 for this feature

John | Last updated: Apr 09, 2021 09:54PM UTC

+1 - Would be very useful for API testing

John | Last updated: Apr 09, 2021 09:54PM UTC

+1 - Would be very useful for API testing

Kacper | Last updated: May 13, 2021 08:28PM UTC

+1

Ben, PortSwigger Agent | Last updated: May 14, 2021 07:17AM UTC

Thank you all - we have added all of your interest to this particular feature request and will update this thread if we have any further news to share.

Divyanshu | Last updated: Jun 02, 2021 11:13AM UTC

You can visit https://infosecwriteups.com/automating-burp-suite-4-understanding-and-customising-custom-header-from-response-via-burp-macro-214332dda012 This solves the problem by adding custom header fetched by macro from response body/header.

You need to Log in to post a reply. Or register here, for free.