Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/portswigger/example-custom-session-tokens
https://github.com/portswigger/example-custom-session-tokens
Last synced: about 2 months ago
JSON representation
- Host: GitHub
- URL: https://github.com/portswigger/example-custom-session-tokens
- Owner: PortSwigger
- Created: 2017-04-05T22:45:58.000Z (over 7 years ago)
- Default Branch: master
- Last Pushed: 2021-12-23T00:16:12.000Z (about 3 years ago)
- Last Synced: 2023-09-07T06:46:14.736Z (over 1 year ago)
- Language: Java
- Size: 85.9 KB
- Stars: 4
- Watchers: 2
- Forks: 3
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Sample Burp Suite extension: Session Tokens
This example demonstrates how you can couple a recorded macro with an extension
to automatically gain a session token for a website and use it in later requests
that Burp makes.The macro mechanism that Burp provides allows you to record the request
triggering creation of a session made via the proxy. To facilitate this demo we
provide a NodeJS server that allows you to inject XSS but only for a given
session.First, to create the macro:
Burp / Project options / Sessions -> Macros -> Add
![Macro UI](macro1.png)
Upon inspection you can see in the response to the request that the webserver
provides a session token, in this case as a header named `X-Custom-Session-Id`.![Response Session Token](macro2.png)
Now you need to use this knowledge to build an extenion. By registering using
`callbacks.registerSessionHandlingAction(this);` and implementing the
`ISessionHandlingAction` interface your extension can inspect the result of the
macro, provided in the second parameter of
```java
public void performAction(IHttpRequestResponse currentRequest, IHttpRequestResponse[] macroItems)
```
using this knowledge to alter the first parameter, i.e. the current request that
Burp is handling, which in this case will be a proxied request, but can rewrite
requests made by any of Burp's tools, e.g. the Scanner or Repeater.Now to link these together in a Session handling rule:
Burp / Project options / Sessions -> Session Handling Rule -> Add Session handling rule
![Session Handling](sessionhandling.png)
Now you can configure Burp to use this rule for Scanning and only when
browsing the local site:![Session Proxy](sessiontools.png)
Now, when performing an active scan in Burp, you will find XSS as Burp is able
to carry a custom session token across requests:![XSS](xss.png)