Waiting for an authenticated session – PortSwigger

Professional

During testing, certain actions may cause an application to terminate your session. For example, an application may automatically lock you out if you enter suspicious input. This can prevent you from doing something like the Burp Intruder eclipse.

Burp lets you configure session management rules to automatically return to the application. The session handling rule determines whether a session is valid. If invalid, runs a macro to update session cookies and log back in.

You can follow the process below using gindjuice.shop, our intentionally exposed demo site. The process consists of three steps:

  1. Identifying a valid login expression.
  2. Configuring session handling rule.
  3. Checking session management rules.

Identify the correct entry expression

Before configuring the session management rule, you need to identify the expression found in the response after successful login:

  1. In Burp’s browser, try logging into the target site with incorrect credentials.
  2. Log in using valid credentials. If you are using ginandjuice.shopare the correct credentials.
    carlos:hunter2.
  3. go to Proxy > HTTP history And after successful logging, examine the message history to identify the expression found only in the reply. For example, if you are using
    ginandjuice.shopof GET/ my-account Contains the response phrase Your
    username is
    .

You use this expression in your session handling rules to determine whether a session is valid.

Configuring session management rules

To configure a session management rule that allows you to maintain an authenticated session:

  1. Click settings to open settings Speech
  2. root Sessions > Session Management RulesClick Add. of Session management rule editor It opens.
  3. Go to Scope Tab. Select the devices and URLs you want the rule to apply to. In most cases, use the default device scope and suit URL scope.
  4. Go to Details Tab. Add a special rule statement.
  5. root Control the stepsClick Addthen select Checkout session is valid. From the drop down menu. of Session management action editor It opens.
  6. root Examine the response to determine the correctness of the session, define an expression found in a valid input response. This should be the expression you defined earlier. Also describe the aspects of each in-bound response that Burp should examine for its description:

    • area(s) – Select the areas in the response that you want Burp to check.
    • Find an expression – Specify the expression found in a valid login response.
    • Type of match – Select whether the expression is a literal string or a regex.
    • Case-sensitivity – Choose whether the expression is case sensitive or insensitive.
    • The match indicates – Select Working session.
    Specifying A Valid Entry Response Statement
  7. root Define behavior based on the validity of the sessionchoose If the session is incorrect, perform the step below > Skip Macro.
  8. Click Add. of Macro editor And Macro recorder Connections are opened.
  9. in the Macro recorder dialog, select Login Requests and then click all right. If you are usingginandjuice.shopselect both GET/ login And POST/ login Questions.

    Choose Input Questions For Your Macro
  10. Click all right To close all open connections. The rule has been added to the list of session management rules.

Checking session management rules

It’s a good idea to make sure the session management rule works. To do this:

  1. Exit the website in the Burp browser.
  2. in Proxy > HTTP history, identify the request of the page you need to enter. For example, if you are using
    ginandjuice.shopYou can use it GET /my-account The request page should now contain an invalid session cookie.
  3. Right click on the question and select it Send to repeater.
  4. Go to Repetitive Tab and send the request. Note that session cookies are updated automatically.
  5. Review the response to confirm your successful login.
Successful Session Management Rule

We offer you some site tools and assistance to get the best result in daily life by taking advantage of simple experiences

 
Please enable / Bitte aktiviere JavaScript!
Veuillez activer / Por favor activa el Javascript! [ ? ]