Let’s suppose you are performing a penetration test of a website. To send requests, you use the “Repeater” tool built into the Burp package. Unfortunately, the session lifetime on the site is set to a very low value. You are logged out way too often.
You must log in again to continue your work. Then you copy the value of the new cookie to the old request. The whole procedure is not difficult but tedious - especially if you have to do it every few minutes.
But this process can be automated using Burp’s built-in macros. Let’s look at an example. We see a simple login page here. After entering the login and password, our session ID is displayed.
In this exaggerated example, our session will expire after 2 seconds. Then we receive the login form. When logging in again, we see the changed ID.
Thanks to this, we know that from the server’s point of view, we use a completely different session. Let’s try to automate the whole process.
To do this, go to the
Project options tab and then
We create a new rule by clicking the “Add” button.
We can name it properly for clarity.
A rule can consist of many actions.
We are interested in the one named:
Check session is valid.
Now we need to determine when our session is not valid.
For this, we will try to find a specific string in the server’s response.
In our case, if the server returns the login form - it means that we have been logged out.
So we’ll be looking for a field called
Whenever such field is found, we want to automatically perform some action - in this case, log in.
We will use a macro - a set of requests sent to the site. From the requests we have previously sent, we choose the one in which we fill out the login form.
And that’s all. The last step is to set the scope - that is, define when the whole procedure should be performed. We want to use it only in the Repeater. In addition, it only applies to one specific domain.
Now we can test the whole thing in practice.
The whole scheme will not always work immediately.
To check it step by step - it is worth opening the “
Sessions tracker window for diagnostic purposes.
We are now removing the previous cookie from our request.
As you can see, we received a session ID in response.
Looking at the details, we can see that Burp recognized that the session was incorrect, so it sent an additional request to the server, which we set in the macro details.
The resulting cookie was automatically attached to our request.
In case the session did not manage to expire yet, Burp did not find the
Log in string, so it assumed that everything was fine - and finished the whole procedure without additional requests.
Everything is quick, easy and nice with just a few clicks. And this is just a sneak peek of the power hidden in macros.