Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Update session cookie dynamically with server responses

GarlicCheese | Last updated: Oct 13, 2020 08:48AM UTC

Hello, I'm conducting a pentest of an infuriating application. The session is invalidated after about one minute and I'm redirected to the SSO solution. The SSO session is not invalidated, thus I'm given a new SAML response, with which I receive a new session. I've been biting my teeth out with the session handling and Burp macros. The process should be as follows: - Check if session is valid (Request to /user; Session is valid if not HTTP 302) (This is no problem with the Burp session handling rules) - If the session is invalid, request the URL from the /user HTTP 302 response (I can't find a method to follow the redirect) - This page features a hidden HTML POST form, which is submit automatically on load (JS); I need to send this form. (I can't find a method parse/submit the hidden form) - The response to the form sets the new session cookie So basically: - GET /user and check response - If GET /user is HTTP 302, follow redirect - POST hidden form from response - Use the new cookie from the response Would that be possible with Burp session handling/macros or am I hoping for too much? Alternatively I could use mitmproxy as an upstream proxy and script everything in Python, which seems like a bit overkill. Thank you - tgc

Uthman, PortSwigger Agent | Last updated: Oct 13, 2020 11:51AM UTC

You may be able to achieve this if you can manually perform the login and capture the requests. Your check session is valid rule would then replay those requests when an invalid session is detected. In terms of following redirections, have you looked at the options under Project options > HTTP > Redirections?

GarlicCheese | Last updated: Oct 13, 2020 12:10PM UTC

Thanks for the response! Unfortunately, I can manually perform the login and capture the requests, but I can't do this statically, as the requests depend on the responses of the preceding requests. The redirection following works mostly, however the hidden form field automatically submit via JS, which is posting the variable SSO data, is not recognized. Unfortunately I can't share a code sample, as it's subjected to an NDA.

Uthman, PortSwigger Agent | Last updated: Oct 13, 2020 12:21PM UTC

Thanks a lot. I appreciate that you cannot share too much information. Have you tried using our new recorded login feature instead? - https://portswigger.net/burp/documentation/desktop/scanning/recorded-logins The above may not work if the login process involves a popup.

GarlicCheese | Last updated: Oct 14, 2020 08:30AM UTC

That sounds fantastic, I was not familiar with this feature! I'll give it a shot - thank you.

Uthman, PortSwigger Agent | Last updated: Oct 14, 2020 08:42AM UTC