Automated Session Handling with Burp Macros

@_riddhishree

Next 30 minutes:

• The Problem Statement - Repeated manual login
• Proposed Solution - Automated session handling
• But How???

The Problem

The Solution

1. Find the session identifying keyword
2. Create a "Login Macro"
3. Test your macro
4. Add a "Session Handling Rule"
5. Test the session handling rule

Find the Session Identifying Keyword

1. As an unauthorized user, go to "/index.jsp" page of Security Shepherd application
2. Observe the response in Burp

Create a Login Macro

1. Start Burp
2. Go to Login page
3. Enter credentials
4. Submit the login form
5. In Burp, go to "Project Options" > "Sessions" > "Macros"
6. Click on "Add" > "Record Macro"

Test the Macro

1. Click on "Test Macro"
2. Validate the response for each of the selected request
3. If satisfied with the response, click on "OK"
4. Else, see the other available controls and make an intuitive guess 

Create Session Handling Rule

1. In Burp, go to "Project Options" > "Sessions" > "Session Handling Rules"
2. Click on "Add" > "Add"
3. Select "Check session is valid" option
4. Configure keyword
5. If session is invalid, run the login macro

Set the Scope

In session handling rule editor, select "Proxy" and "Use suite scope"

Configure Cookie Jar

Test Session Handling Rule

1. In Burp, go to "Project Options" > "Sessions" > "Session Handling Rules"
2. Click on "Open sessions tracer"
3. As an unauthenticated user, access the target web application

Image references

• https://www.technobezz.com/files/uploads/2015/02/How-To-Fix-Facebook-App-Session-Expired-Error.jpg
• http://www.lisenme.com/wp-content/uploads/2017/08/login_session-750x410.jpg