Automated Session Handling with Burp Macros
@_riddhishree
Next 30 minutes:
- The Problem Statement - Repeated manual login
- Proposed Solution - Automated session handling
- But How???
The Problem
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/5607019/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/5607038/pasted-from-clipboard.png)
The Solution
- Find the session identifying keyword
- Create a "Login Macro"
- Test your macro
- Add a "Session Handling Rule"
- Test the session handling rule
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/5607116/1.jpg)
Find the Session Identifying Keyword
- As an unauthorized user, go to "/index.jsp" page of Security Shepherd application
- Observe the response in Burp
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/5607953/13.png)
Create a Login Macro
- Start Burp
- Go to Login page
- Enter credentials
- Submit the login form
- In Burp, go to "Project Options" > "Sessions" > "Macros"
- Click on "Add" > "Record Macro"
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/5607881/2.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/5607975/16.png)
Test the Macro
- Click on "Test Macro"
- Validate the response for each of the selected request
- If satisfied with the response, click on "OK"
- Else, see the other available controls and make an intuitive guessÂ
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/5607926/7.png)
Create Session Handling Rule
- In Burp, go to "Project Options" > "Sessions" > "Session Handling Rules"
- Click on "Add" > "Add"
- Select "Check session is valid" option
- Configure keyword
- If session is invalid, run the login macro
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/5607939/11.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/5608005/12.png)
Set the Scope
In session handling rule editor, select "Proxy" and "Use suite scope"
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/5608007/20.png)
Configure Cookie Jar
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/5608010/21.png)
Test Session Handling Rule
- In Burp, go to "Project Options" > "Sessions" > "Session Handling Rules"
- Click on "Open sessions tracer"
- As an unauthenticated user, access the target web application
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/5608001/17.png)
Image references
- https://www.technobezz.com/files/uploads/2015/02/How-To-Fix-Facebook-App-Session-Expired-Error.jpg
- http://www.lisenme.com/wp-content/uploads/2017/08/login_session-750x410.jpg
Automated Session HandlingUsing Burp Macros
By Riddhi Shree Chaurasia
Automated Session HandlingUsing Burp Macros
- 991