12-01-2020 / Burp_en

How to handle session expiration in BURP with macros?

Let's suppose you are performing a penetration test of a website.

To send requests, you use the "Repeater" tool built into the Burp package.

Unfortunately, the session lifetime on the site is set to a very low value.

You are logged out way too often.

You must log in again to continue your work.

Then you copy the value of the new cookie to the old request.

The whole procedure is not difficult but tedious - especially if you have to do it every few minutes.

Simple login form

But this process can be automated using Burp's built-in macros.

Let's look at an example.

We see a simple login page here.

After entering the login and password, our session ID is displayed.

Session expired after 2 seconds

In this exaggerated example, our session will expire after 2 seconds.

Then we receive the login form.

When logging in again, we see the changed ID.

Changed ID

Thanks to this, we know that from the server's point of view, we use a completely different session.

Let's try to automate the whole process.

Sessions tab

To do this, go to the Project options tab and then Sessions.

We create a new rule by clicking the "Add" button.

We can name it properly for clarity.

A rule can consist of many actions.

Check session is valid rule

We are interested in the one named: Check session is valid.

Now we need to determine when our session is not valid.

For this, we will try to find a specific string in the server's response.

In our case, if the server returns the login form - it means that we have been logged out.

So we'll be looking for a field called Log In.

When session expired

Whenever such field is found, we want to automatically perform some action - in this case, log in.

Run macro

We will use a macro - a set of requests sent to the site.

From the requests we have previously sent, we choose the one in which we fill out the login form.

Choose request used to login

And that's all.

The last step is to set the scope - that is, define when the whole procedure should be performed.

We want to use it only in the Repeater.

In addition, it only applies to one specific domain.

Macro scope

Now we can test the whole thing in practice.

The whole scheme will not always work immediately.

To check it step by step - it is worth opening the "Sessions tracker window for diagnostic purposes.

We are now removing the previous cookie from our request.

Sessions tracker window

As you can see, we received a session ID in response.

Looking at the details, we can see that Burp recognized that the session was incorrect, so it sent an additional request to the server, which we set in the macro details.

The resulting cookie was automatically attached to our request.

In case the session did not manage to expire yet, Burp did not find the Log in string, so it assumed that everything was fine - and finished the whole procedure without additional requests.

Everything is quick, easy and nice with just a few clicks.

And this is just a sneak peek of the power hidden in macros.