Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Use macros and session handling with parameters in json

Schaepman | Last updated: Apr 01, 2021 10:08AM UTC

Hi, I am trying to configure macros and session handling to keep me connected on an application using auth0. I have to chain request and pass answers parameters value to next requests to be authenticated. It works fine when parameters are in a "classic form" (parameter_name=...) in a GET or POST request. I can create custom parameters from any element of the response, and update them in followin requests no problem. But then a POST request sends a token recieved in a previous response in a json (parameter is like { "token":"blahblah", "param2":"42",... }. No problem to extract the token as a custom parameter, but it does not appear then in the "parameter handling" field for the POST request with the json that have to include the token. Do you have any idea how I can manage this situation and include a custom parameter in a json of a POST request? Thanks a lot !

Uthman, PortSwigger Agent | Last updated: Apr 01, 2021 10:26AM UTC

Hi Aldo,

This is not currently available in Macros/Session handling rules but you can achieve this using the 'Authentication Token Obtain and Replace' extension. Can you please check it out below?


When this becomes natively available in Burp, we will update this thread.

Schaepman | Last updated: Apr 02, 2021 03:46PM UTC

Thanks Uthman, this is exactly what I needed ! Thanks also for everything you guys do at Portswigger, it's great.

Uthman, PortSwigger Agent | Last updated: Apr 06, 2021 07:57AM UTC

Thanks a lot for your feedback! :)

Oscar | Last updated: Feb 29, 2024 05:58AM UTC

Hi, is there any update on this? Has the ability to do this been added to "natively available"? I tried ATOR, but there is a bug in the 4th window, it wont match any region of the request after the first linebreak.

Michelle, PortSwigger Agent | Last updated: Feb 29, 2024 01:53PM UTC