Professional
During testing, certain actions may cause an application to terminate your session. For example, an application may automatically lock you out if you enter suspicious input. This can prevent you from doing something like the Burp Intruder eclipse.
Burp lets you configure session management rules to automatically return to the application. The session handling rule determines whether a session is valid. If invalid, runs a macro to update session cookies and log back in.
You can follow the process below using gindjuice.shop, our intentionally exposed demo site. The process consists of three steps:
- Identifying a valid login expression.
- Configuring session handling rule.
- Checking session management rules.
Identify the correct entry expression
Before configuring the session management rule, you need to identify the expression found in the response after successful login:
- In Burp’s browser, try logging into the target site with incorrect credentials.
- Log in using valid credentials. If you are using
ginandjuice.shop
are the correct credentials.
carlos:hunter2
. - go to Proxy > HTTP history And after successful logging, examine the message history to identify the expression found only in the reply. For example, if you are using
ginandjuice.shop
ofGET/ my-account
Contains the response phraseYour
.
username is
You use this expression in your session handling rules to determine whether a session is valid.
Configuring session management rules
To configure a session management rule that allows you to maintain an authenticated session:
- Click settings to open settings Speech
- root Sessions > Session Management RulesClick Add. of Session management rule editor It opens.
- Go to Scope Tab. Select the devices and URLs you want the rule to apply to. In most cases, use the default device scope and suit URL scope.
- Go to Details Tab. Add a special rule statement.
- root Control the stepsClick Addthen select Checkout session is valid. From the drop down menu. of Session management action editor It opens.
-
root Examine the response to determine the correctness of the session, define an expression found in a valid input response. This should be the expression you defined earlier. Also describe the aspects of each in-bound response that Burp should examine for its description:
- area(s) – Select the areas in the response that you want Burp to check.
- Find an expression – Specify the expression found in a valid login response.
- Type of match – Select whether the expression is a literal string or a regex.
- Case-sensitivity – Choose whether the expression is case sensitive or insensitive.
- The match indicates – Select Working session.
- root Define behavior based on the validity of the sessionchoose If the session is incorrect, perform the step below > Skip Macro.
- Click Add. of Macro editor And Macro recorder Connections are opened.
-
in the Macro recorder dialog, select Login Requests and then click all right. If you are using
ginandjuice.shop
select bothGET/ login
AndPOST/ login
Questions. - Click all right To close all open connections. The rule has been added to the list of session management rules.
Checking session management rules
It’s a good idea to make sure the session management rule works. To do this:
- Exit the website in the Burp browser.
- in Proxy > HTTP history, identify the request of the page you need to enter. For example, if you are using
ginandjuice.shop
You can use itGET /my-account
The request page should now contain an invalid session cookie. - Right click on the question and select it Send to repeater.
- Go to Repetitive Tab and send the request. Note that session cookies are updated automatically.
- Review the response to confirm your successful login.
We offer you some site tools and assistance to get the best result in daily life by taking advantage of simple experiences