Home

Awesome

Sample Burp Suite extension: Session Tokens

This example demonstrates how you can couple a recorded macro with an extension to automatically gain a session token for a website and use it in later requests that Burp makes.

The macro mechanism that Burp provides allows you to record the request triggering creation of a session made via the proxy. To facilitate this demo we provide a NodeJS server that allows you to inject XSS but only for a given session.

First, to create the macro:

Burp / Project options / Sessions -> Macros -> Add

Macro UI

Upon inspection you can see in the response to the request that the webserver provides a session token, in this case as a header named X-Custom-Session-Id.

Response Session Token

Now you need to use this knowledge to build an extenion. By registering using callbacks.registerSessionHandlingAction(this); and implementing the ISessionHandlingAction interface your extension can inspect the result of the macro, provided in the second parameter of

public void performAction(IHttpRequestResponse currentRequest, IHttpRequestResponse[] macroItems)

using this knowledge to alter the first parameter, i.e. the current request that Burp is handling, which in this case will be a proxied request, but can rewrite requests made by any of Burp's tools, e.g. the Scanner or Repeater.

Now to link these together in a Session handling rule:

Burp / Project options / Sessions -> Session Handling Rule -> Add Session handling rule

Session Handling

Now you can configure Burp to use this rule for Scanning and only when browsing the local site:

Session Proxy

Now, when performing an active scan in Burp, you will find XSS as Burp is able to carry a custom session token across requests:

XSS