Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/portswigger/example-custom-session-tokens

Last synced: 7 days ago
JSON representation

Host: GitHub
URL: https://github.com/portswigger/example-custom-session-tokens
Owner: PortSwigger
Created: 2017-04-05T22:45:58.000Z (over 7 years ago)
Default Branch: master
Last Pushed: 2021-12-23T00:16:12.000Z (almost 3 years ago)
Last Synced: 2023-09-07T06:46:14.736Z (about 1 year ago)
Language: Java
Size: 85.9 KB
Stars: 4
Watchers: 2
Forks: 3
Open Issues: 1
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

        # Sample Burp Suite extension: Session Tokens

This example demonstrates how you can couple a recorded macro with an extension

to automatically gain a session token for a website and use it in later requests

that Burp makes.

The macro mechanism that Burp provides allows you to record the request

triggering creation of a session made via the proxy. To facilitate this demo we

provide a NodeJS server that allows you to inject XSS but only for a given

session.

First, to create the macro:

Burp / Project options / Sessions -> Macros -> Add

![Macro UI](macro1.png)

Upon inspection you can see in the response to the request that the webserver

provides a session token, in this case as a header named `X-Custom-Session-Id`.

![Response Session Token](macro2.png)

Now you need to use this knowledge to build an extenion. By registering using

`callbacks.registerSessionHandlingAction(this);` and implementing the 

`ISessionHandlingAction` interface your extension can inspect the result of the

macro, provided in the second parameter of

```java

public void performAction(IHttpRequestResponse currentRequest, IHttpRequestResponse[] macroItems)

```

using this knowledge to alter the first parameter, i.e. the current request that

Burp is handling, which in this case will be a proxied request, but can rewrite

requests made by any of Burp's tools, e.g. the Scanner or Repeater.

Now to link these together in a Session handling rule:

Burp / Project options / Sessions -> Session Handling Rule -> Add Session handling rule

![Session Handling](sessionhandling.png)

Now you can configure Burp to use this rule for Scanning and only when

browsing the local site:

![Session Proxy](sessiontools.png)

Now, when performing an active scan in Burp, you will find XSS as Burp is able

to carry a custom session token across requests:

![XSS](xss.png)