Automated Session Handling with Burp Macros
@_riddhishree
Next 30 minutes:
- The Problem Statement - Repeated manual login
- Proposed Solution - Automated session handling
- But How???
The Problem
The Solution
- Find the session identifying keyword
- Create a "Login Macro"
- Test your macro
- Add a "Session Handling Rule"
- Test the session handling rule
Find the Session Identifying Keyword
- As an unauthorized user, go to "/index.jsp" page of Security Shepherd application
- Observe the response in Burp
Create a Login Macro
- Start Burp
- Go to Login page
- Enter credentials
- Submit the login form
- In Burp, go to "Project Options" > "Sessions" > "Macros"
- Click on "Add" > "Record Macro"
Test the Macro
- Click on "Test Macro"
- Validate the response for each of the selected request
- If satisfied with the response, click on "OK"
- Else, see the other available controls and make an intuitive guess
Create Session Handling Rule
- In Burp, go to "Project Options" > "Sessions" > "Session Handling Rules"
- Click on "Add" > "Add"
- Select "Check session is valid" option
- Configure keyword
- If session is invalid, run the login macro
Set the Scope
In session handling rule editor, select "Proxy" and "Use suite scope"
Configure Cookie Jar
Test Session Handling Rule
- In Burp, go to "Project Options" > "Sessions" > "Session Handling Rules"
- Click on "Open sessions tracer"
- As an unauthenticated user, access the target web application
Image references
- https://www.technobezz.com/files/uploads/2015/02/How-To-Fix-Facebook-App-Session-Expired-Error.jpg
- http://www.lisenme.com/wp-content/uploads/2017/08/login_session-750x410.jpg
Automated Session Handling with Burp Macros @_riddhishree