Home

Awesome

<img align="right" src="https://avatars0.githubusercontent.com/u/21125224?s=150&v=4">

WAF Cookie Fetcher - A Burp Suite Extension

BApp Store Language License

This extension registers custom session handling rule actions which can...

Overview

WAF Cookie Fetcher screenshot

WAF Cookie Fetcher is a Burp Suite extension which allows web application security testers to register various types of cookie-related session handling actions to be performed by the Burp session handling rules.

The extension can be used to add cookies to Burp's cookie jar which originate from a WAF or other bot defense system but are set in the browser using client-side code. Burp cannot normally detect updates to the values of these cookies without a request from the browser, which will not happen automatically during active scanning and intruder attacks etc. Therefore when the obfuscated new cookie value, or code to calculate the value is sent by the WAF's bot defense system, Burp doesn't update its cookie jar. This means that any requests which don't contain the updated value will be blocked. This makes it very difficult to use important Burp features such as the Scanner and Intruder when these bot defenses have been employed.

WAF Cookie Fetcher defeats these defense techniques by generating a generic PhantomJS script and calling the PhantomJS binary with the necessary parameters to run the script. The script then loads the web page and waits for the JavaScript to set the cookie, which is then returned by PhantomJS and picked up by the Burp extension. Tests showed that calling the PhantomJS binary was quicker than using Selenium etc. Using the binary directly also means that there are less dependencies to run WAF Cookie Fetcher.

The other action types allow features such as the removal of specific named cookies from Burp's cookie jar, and the ability to empty the whole jar. These additional features add some helpful flexibility when using more complex session handling rulesets, to ensure the session remains valid by avoiding problematic cookies or to ensure specific application code-paths are properly tested.

Requirements

Demo instructions

A lab page is provided (hosted on GitHub Pages) to try out the extension.

Load WAF Cookie Fetcher extension in Burp. By default the extension contains the correct settings for the demo.

  1. Click on the "Demo" button, which will populate the purple fields shown in the screenshot below.
  2. Click on the "Add..." button which will populate the green field.
  3. Go to the Repeater tab and use the automatically added WCF Demo request.

WAF Cookie Fetcher demo screenshot

If a cookie appears and the value changes every time you click "Go" in repeater, then the demo is working. As you will be able to see, the JavaScript response from the server is obfuscated, but WAF Cookie Fetcher is obtaining the correct value and placing it in the cookie jar, and Burp is then adding it to the Repeater Request.

WAF Cookie Fetcher demo screenshot

Usage

Burp session rules best practice

WAF Cookie Fetcher settings for obtaining cookies

The settings/fields shown in the following screenshot are explained in this section.

WAF Cookie Fetcher settings screenshot

Set cookies to be valid for domain

Path to PhantomJS binary

Optional PhantomJS arguments

Obtain cookies from this URL

Milliseconds that PhantomJS should wait for cookies to be set

Cookies to obtain

Adding the session handling action

Using the rule

WAF Cookie Fetcher Roadmap

This project is still under development.

Potential future improvements:

Potential future features may include:

Contribute

Contributions, feedback and ideas will be appreciated.

License notice

Copyright (C) 2017-2018 Paul Taylor

See LICENSE file for details.