Burp Suite User Forum

Login to post

Update Header in Session Handling/Macros

Conor | Last updated: Jan 05, 2016 06:51PM UTC

Hello, I'm working on an application that uses CSRF token for the login forms. The token is a hidden value in the webpage: E.g. <input name="CSRFToken" type="hidden" value="ZIlN2m8eqXX4mWOJr3wkNLGeobE2oUqGBaeKpYWaJe1yK7oQKRx8H2A-8X6rqiMIM7nQNwGPI1uryEA-3wWh5iii_kbq-Pkfp-z9uR5eGnxRCOkE0" /> The token is then applied to the subsequent login as an HTML Header: ... Content-Type: application/json; charset=utf-8 CSRFToken: 0f5K-xylZwaz3jY4hVfMleNQ22Plbd0GD5kW3980JxANf_qG77kKW0FHtrOkRjdNGdhjF4tjQyAOppeZB8IgpuWqJJsK12xuzlFE3oS_mYITKeUI0 X-Requested-With: XMLHttpRequest ... And following a valid login, you receive a session cookie. Currently, from what I understand, the session handling and macros only apply to cookies and parameters. Would it be possible to have these rules apply to other areas of the request? I'm currently attempting to write an Extension to handle this functionality, but it seems viable enough to be a stock option. Thanks, Conor

PortSwigger Agent | Last updated: Jan 06, 2016 09:25AM UTC

Currently, Burp's native session handling rules don't operate on request headers. We do have this feature request captured in our backlog, but we can't currently promise an ETA for the feature, sorry.

Burp User | Last updated: Jan 06, 2016 04:49PM UTC

Understandable. I was able to write the extension code quite easily, but I've run into another hurdle imposed by this, wondering if you can think of any solutions. So, I can retrieve the above value from the macro Response, and add it to a headers array. The issue, is that the request requiring the header is not in the list of requests handed to "performAction()". i.e.: currentRequest: the request in the Scanner queue that "failed session validity" macroItems[0]: the request used to grab CSRF token I need to append the CSRF token to a third request, along with a username and password to authenticate, and subsequently update the cookiejar with a valid session token. How can I access a "stored" request to modify then send to authenticate? The best solution I see would be if Extensions can access macro requests without them having to be initially sent. Options I can see: 1. Static request stored in extension code: Bad, as I don't want to have to edit the code, then reload the extension everytime I need to change something 2. Send login request macro before running extension: Solves my problem, but more expensive than I like, as I don't actually need to send this request yet 3. Code text/request input into my extension: Time consuming, this tool is just for me and a coworker, don't need to waste time on pretty UI code 4. Send request tooltip: Is it possible to add a drop down option to "Send Request to MyExtension" like you do Repeater/Intruder? I'll probably go with option 2 if all else fails, but I want to see if you have any better ideas. Thanks!

PortSwigger Agent | Last updated: Jan 07, 2016 09:02AM UTC

Ideally, as you say, you would include the authentication request within the macro and your extension would be able to modify the macro request before it is sent. One way to possibly achieve this would be to register an IHttpListener, which will give your code access to all requests made by all tools. You could use this to track the latest token observed in a response, and to update the relevant header with this value in relevant requests. This approach might mean that you just need to execute your recovery macro when the session is invalid, and let your IHttpListener fix the header when the macro is run. Then you might not need the custom session handling action at all. Regarding "Send to my extension" items on the context menu, you can do this by registering an IContextMenuFactory. Burp will call into your extension when the context menu is invoked, with details of the invocation event, and you can return any context menu items that are applicable for that invocation: https://portswigger.net/burp/extender/api/burp/IContextMenuFactory.html Hope that helps.

Burp User | Last updated: Jun 05, 2018 11:11AM UTC

Any progress on this feature request? I know header manipulation can be done with a plugin, but I think this should be default functionality to make life easier :) Searching google shows this question has been requested several times over the years, for example: https://support.portswigger.net/customer/portal/questions/11698880-how-do-i-change-a-http-header-value-for-active-scan-with-stored-state-file-.

Burp User | Last updated: Dec 07, 2018 09:49AM UTC

@Wouter, could you specify which plugin do you use to make this happen? I tried different extensions and none are working fine for me. Add custom header finally worked when the request did not have the x-csrf header at all. for the requests where the header was present, it was not deleting and adding the new value.

You need to Log in to post a reply. Or register here, for free.