Server sends HTTP 302 and is terminating session because of wrong sessionid. Incorrect: preflight Makro GET /settings/ is sent with incorrect/old sessionid (sessionid=hp) in cookie. Important: server responds with a Set-Cookie: sessionid=nv!ģ. Correct: Scanner sends POST /settings/ with correct sessionid=hp in cookie and updated csrftoken in multipart and cookie. Correct: preflight Makro GET /settings/, server returns HTTP 200 with csrf token in HTML and Set-Cookie for csrftokenĢ. Use Logger++ plugin (log from all tools) to see what's the problem (Tool that is causing the trouble is "Scanner" for alle the following 3 requests):ġ. Actively scan the multipart POST request to /settings/ when saving the settings. Leave the "Add cookies received in responses to the session handling cookie jar" and "Use cookies from the session handling cookie jar in request" enabled. Parse out csrfmiddlewaretoken from the hidden form field (custom parameter). For makro use a GET request to /settings/ URL with no further URL/Body parameters. Remember, Burp Scanner can scan for vulnerabilities on independent APIs, not on logically dependent APIs. Leave the "Update current request with cookies from session handling cookie jar" to update all cookies. Don’t forget to check Burp Suite’s limitations for Scanning APIs. ![]() Chose "Update current request with parameters matched from final macro response" to "Update only the following parameters:" csrfmiddlewaretoken. Add a session handling rule, scoped to all tools except Proxy, Restrict to requests containing "csrfmiddlewaretoken" parameter. ![]() Configure default session handling rule for cookies so that the scope includes scanner, extender, spider ![]() Add a throttle of 1 seconds to my plugin (it has such an option), probably doesn't matter as the problem occurs before my plugin even starts. Add a throttle of 1 seconds between requests for active scans Disable all scanner checks in "Active Scanning Areas" The Makro is not always using the latest cookie that came back in a Set-Cookie header response. I found a potential bug in Burp's Makro/Session handling. The whole project is available under the GNU General Public License v3.So because I need some testcases for my new burp plugin I tried scanning the Hackerone bug bounty program of. gradlew build and you'll have the plugin ready in
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |