![]() ![]() The macro editor screen, showing you an overview of all your selected macros. After you added all your calls, you can test the macro using the “ Test macro” button on the right side corner of your screen. You will now have to choose all the requests that are relevant to your applications authentication flow Pro tip: highlight your authentication calls in the proxy history tab, this will make them easier to find.īurp Suite will automatically trigger these calls and store the cookies in Burp’s cookie jar. When adding a macro, you will be redirected to a pop up screen with your HTTP history captured by Burp Suite. Our rule is now finished, and will now execute the reauth macro every time a response comes back that contains the text “session failed”. If this is the case we will run the re authentication macro. It is for the same reason that the “ Response body” option is ticked and we instructed Burp Suite to check if the string “ session failed” is in our request response. In our use case, the current request will tell us using the error body “ session failed” that our session is not valid anymore, which is why the “ Issue current request” is ticked. Here you can specify which request should be ran to check if the session is still valid or not. You should be redirected to the Session handling action editor. Once you have set your rule action, edit it by selecting the action and pressing the Edit button. In the rule actions click the “Add” button and choose Check session is valid. Keep this one, and add your own custom rule. In the first section of the screen you should now see a standard rule called “ use cookies from Burp’s cookie jar“. The “Sessions” section in Burp can be found under “Project Options” Burp Session rules In Burp, go to the “project options” tab and choose sessions ![]() Here is an example on how to achieve this: IF ("session failed" in response.body OR = 403 ): re-authenticate In this case pseudocode for this problem would look a little like this: Using this functionality, it is possible to trigger certain requests automatically given a certain condition. So, we needed to find a way to bypass these restrictive sessions! Burp Session Handling Rules to the rescue!įortunately for us, Burp Suite provides a solution for this called “Burp Session Handling Rules”. ![]() This presented a unique challenge, as most of our automated tools and techniques had no reliable way of working as the base requests that were being used as entry point, always contained invalid cookies as the lifetime of a session was about 2 minutes and the anti-CSRF token was unique per request (as it should be). In order to help us with this problem, would you be willing to implement an option to log Repeater and other tools into project files then make those logs available through Logger when project files are opened? Another useful change would be to add a method to the extension API to allow extensions to save data into project files.Recently, NVISO was tasked to do a penetration test on a web application that had very short authenticated sessions and that implemented anti CSRF tokens. I'm not aware of any way for extensions to save data into project files. Further, this needs to be individually enabled for every project there’s no option to automatically log to a file whose name is derived from the project name.ģ. However, these logs go to separate text files and our customer is insisting that everything be in the project file. This is awkward to set up and use if someone accidentally tests using instance B, then that will not be logged properly.Ģ.ěurp has logging for Repeater and other tools, which can be enabled using Project Options > Misc > Logging. Use two Burp instances, with instance B set as the upstream proxy of instance A, then do all testing in instance A and give the customer project files from instance B. We currently have the following options:ġ. This is currently difficult as while Burp’s project files store proxy history, they do not store history from Repeater or many other tools. One of our largest customers wants our consultants to submit Burp project files logging all project-related traffic to them after each pentest so that they can audit us.
0 Comments
Leave a Reply. |