How to handle session expiration in BURP with macros?

How to handle session expiration in BURP with macros?

Articles, Blog , , , , , , , , , , , , , , , , , , , , , , 1 Comment


Let’s suppose you are performing a penetration
test of a website. To send requests, you use the “Repeater” tool
built into the Burp. Unfortunately, the session lifetime on the
site is set to a very low value. You are logged out way too often. You must log in again to continue your work. Then you copy the value of the new cookie
to the old request. The whole procedure is not difficult but tedious
– especially if you have to do it every few minutes. But this process can be automated using Burp’s
built-in macros. Let’s look at an example. We see a simple login page here. After entering the login and password, our
session ID is displayed. In this exaggerated example, our session will
expire after 2 seconds. Then we receive the login form. When logging in again, we see the changed
ID. Thanks to this, we know that from the server’s
point of view, we use a completely different session. Let’s try to automate the whole process. To do this, go to the “Project options” tab
and then “Sessions”. We create a new rule by clicking the “Add”
button. We can name it properly for clarity. A rule can consist of many actions. We are interested in the one named: “Check
session is valid”. Now we need to determine when our session
is not valid. For this, we will try to find a specific string
in the server’s response. In our case, if the server returns the login
form – it means that we have been logged out. So we’ll be looking for a field called “Log
In”. Whenever such field is found, we want to automatically
perform some action – in this case, log in. We will use a macro – a set of requests sent
to the site. From the requests we have previously sent,
we choose the one in which we fill out the login form. And that’s all. The last step is to set the scope – that is,
define when the whole procedure should be performed. We want to use it only in the Repeater. In addition, it only applies to one specific
domain. Now we can test the whole thing in practice. The whole scheme will not always work immediately. To check it step by step – it is worth opening
the “Sessions tracker” window for diagnostic purposes. We are now removing the previous cookie from
our request. As you can see, we received a session ID in
response. Looking at the details, we can see that Burp
recognized that the session was incorrect, so it sent an additional request to the server,
which we set in the macro details. The resulting cookie was automatically attached
to our request. In case the session did not manage to expire
yet, Burp did not find the “Log in” string, so it assumed that everything was fine – and
finished the whole procedure without additional requests. Everything is quick, easy and nice with just
a few clicks. And this is just a sneak peek of the power
hidden in macros. If you liked it, leave a thumb up and subscribe
this channel. See you soon, bye!

One thought on “How to handle session expiration in BURP with macros?

Leave a Reply

Your email address will not be published. Required fields are marked *