![]() ![]() ![]() Every rule comprises the actions to be taken and the scope of the rule. You just have to tell Burp the location of the parameter in the response and its name in the subsequent request.īurp gives its users the ability to define the session handling rules. Although Burp identifies parameter location in the response automatically, sometimes you would still want the ability to provide it and customize it. For every parameter in the request, parameter handling lets you configure it to fixed value or value derived from previous response. It has three configurable sections: Cookie Handling, Parameter Handling, and Custom Parameter Locations.Ĭookie handling lets you configure your macro request with the current cookies in the cookie jar and update the cookie jar with the response. You can configure the macro further by clicking on "Configure Item" button. You can now select a single request or multiple requests for the operation you want the macro to perform. When you click on "Add" in the Macro section, it opens up a "Macro Recorder" for you, displaying the proxy history. You can also view the contents of the cookies in the cookie jar by clicking on "Open cookie jar" and if necessary, you can update those cookies manually.Ī macro is a set of instructions used to perform an action such as logging into an application, checking if a session is valid, etc. Monitoring "Proxy" reflects the active browser session's cookie in the cookie jar. By default, it monitors "Proxy" and "Spider" tools. We will look into Cookie jar first because, even if you don't define any custom session handling rule/macro, this plays an important role in keeping your session active.Īs the name suggests, this stores all the cookies issued by all the web applications you visited (obviously, in the browser where Burp is the proxy or through Burp tools).īurp lets the user select which of the burp's tool traffic to monitor and, based on the selection, it updates the cookie jar with any newly set cookies. We will look at all the three options in detail, later on followed by an example. Burp now provides three important configuration options to help you troubleshoot your sessions and state. With Burp v1.4, Burp introduced new module called "Sessions" to give you the control to oversee the application's session handling with Burp. Please Login" and all the hard work spent crawling the application was in vain. While using Burp for web application active scanning, there may be a whole lot of requests pending in the "Active Scan Queue" but do all of these requests contain the active "Sessionid"? From where does Burp pick up the latest session information? I have often pondered these questions while looking at the big "Scan Queue" and wondered if all these requests were sent successfully to the server or if the response was "Session Expired. The web application might terminate your session based on timeout conditions or other reasons and all the subsequent requests made to the server are invalidated. But these measures also work against the person doing penetration testing on these web applications because maintaining an active session for the multiple requests sent to the server becomes difficult. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |