PROFESSIONALCOMMUNITY

Maintaining an authenticated session

• Last updated: July 6, 2023

• Read time: 3 Minutes

When testing, some actions may result in an application terminating your session. For example, an application may automatically log you out if you submit suspicious input. This may prevent you from performing an action like fuzzing with Burp Intruder.

Burp enables you to configure a session handling rule to automatically log back into an application. The session handling rule determines whether a session is valid. If it's invalid, it will run a macro to update the session cookies and log back in.

You can follow along with the process below using ginandjuice.shop, our deliberately vulnerable demonstration site. The process consists of three steps:

1. Identifying a valid login expression.
2. Configuring a session handling rule.
3. Checking the session handling rule.

Identifying a valid login expression

Before you configure a session handling rule, you need to identify an expression that is found in the response after a successful login:

1. In Burp's browser, attempt to log in to the target site with incorrect credentials.
2. Log in using correct credentials. If you're using ginandjuice.shop, the correct credentials are carlos:hunter2.
3. Go to Proxy > HTTP history and examine the message history to identify an expression that is only found in the response after a successful login. For example, if you're using ginandjuice.shop, the GET/ my-account response contains the phrase Your username is.

You will use this expression in your session handling rule to determine whether a session is valid.

Configuring a session handling rule

To configure a session handling rule that enables you to maintain an authenticated session:

1. Click Settings to open the Settings dialog.
2. Under Sessions > Session handling rules, click Add. The Session handling rule editor opens.
3. Go to the Scope tab. Select the tools and URLs that you want the rule to apply to. In most cases, use the default tool scope and the suite URL scope.
4. Go to the Details tab. Add a unique rule description.
5. Under Rule actions, click Add, then select Check session is valid from the drop-down menu. The Session handling action editor opens.

6. Under Inspect response to determine session validity, specify the expression that is found in a valid login response. This should be the expression you identified earlier. Also specify the aspects of each in-scope response that Burp should inspect for the expression:

   • Location(s) - Select the locations in the response that you want Burp to inspect.
   • Look for expression - Specify the expression that is found in a valid login response.
   • Match type - Select whether the expression is a literal string or regex.
   • Case-sensitivity - Select whether the expression is case-sensitive or insensitive.
   • Match indicates - Select Valid session.
   
7. Under Define behavior dependent on session validity, select If session is invalid, perform the action below > Run a macro.
8. Click Add. The Macro editor and Macro recorder dialogs open.

9. In the Macro recorder dialog, select the login requests, then click OK. If you're usingginandjuice.shop, select both the GET/ login and POST/ login requests.

   
10. Click OK to close all open dialogs. The rule is added to the list of session handling rules.

Checking the session handling rule

It's a good idea to check that the session handling rule works. To do this:

1. In Burp's browser, logout of the website.
2. In Proxy > HTTP history, identify a request for a page that you need to be logged in to access. For example, if you're using ginandjuice.shop, you can use a GET /my-account request. The page should contain a session cookie that is now invalid.
3. Right-click the request and select Send to Repeater.
4. Go to the Repeater tab and send the request. Notice that the session cookies automatically update.
5. Review the response to confirm that you've logged in successfully.