Sunday, November 18, 2012

Burp suite tips and tricks - Macros

The aim of this article is to demonstrate session rules and macros in Burp suite. Sometimes when we are doing a web application penetration test the session is terminated either due to timeout (irrespective of activity) or forceful termination while tampering with the parameters. This sucks!

There is a way in Burp suite to continue the scanning/testing without any interruption using the inbuilt macros and cookie jar. While there are many other uses of this macro and cookie jar feature, I will be exploring only the login automation.

  • Log in to the application using valid credentials.



  • Go to Options -> Sessions. Under “macros” tab click on new.



  • Select the Requests that are required to Login to the application. In this case, the POST request and the GET request after the redirect.



  • You can test the macro by using the “test macro” option. Check the response to see if you get logged in to the application. If you are not authenticated, repeat the above step.
  • Click the Done button.


  • Click the “new” button under session handling section.



  • Enter the “Rule description” and click the “new” button under the Rule actions section. Select the “Check session is valid” action.



  • Note that in the example application when the user is logged out, he is redirected to the login page and the Login page has the string “Sign in”. So based on this expression we can inspect if the session is valid or invalid.
  • Enter the expression “Sign off” as below. (Those checkboxes are self-explanatory).
  • Select the check box -> match indicates -> invalid session (right?)



  • Then define the behavior, i.e, what happens if the above condition is satisfied. Select Run a macro option and select the macro we created. In this case, Session checker; this macro is used to login to the application. Click the “Done” button.



  • Go to scope tab and select “include all URLs”. In case there is a customization we can do it here. Click the “Done button”.



  • Now log out of the application.



  • I had sent an internal request to the repeater prior to logoff. Meaning: the session ID is invalid in the request below.



  • Click the Go button. You can observe from the response that you are logged in. How did that happen?



  • Let us check the session tracer…Here you can clearly see that the cookie Jar was updated by running the macro based on the condition provided (Sign off….remember??)


thedaywefightback