Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Extension for session handling not loaded

Jan Oetting May 12, 2017 09:37AM UTC

Hi,
I use Extensions together with Makros and Makro-Postprocessing Extensions (for Session Management und Relogin).

Generell the concept works.
From time to time (every other our) I get alerts ("Configured Burp extension session handling is not loaded: ...")

To fix this, I currently reconfigure the Session handling rule to remove the extension action handler, restarts burp, add the session handler again and restart again.

This is quite annoying. I don't understand the reason while the session handling is not loaded, currently not.
Maybe there is some problem during loading, an exception is thrown or something.
Could somebody tell, what method to look, what Exception to catch, to fix this problem?

Kind Regards
Jan


Dafydd Stuttard May 15, 2017 10:19AM UTC Support Center agent

Thanks for this report.

When this problem occurs, is your extension still loaded correctly? So the only problem is that the configured session handling rule has lost its association with the extension-provided action? Or has the extension itself failed to load for some reason?


Jan Oetting May 15, 2017 08:11PM UTC
Hi Dafydd,
The extension itself is there and works (but without the sessionhandling not really useful)
I start the extension from my IDE (Eclipse).
Only the association is lost in a bad way.

In the alert section I got the info, that there is the problem, but
I don't see any exception/message related to the root cause.

Jan Oetting May 16, 2017 05:13AM UTC
One additional info:
sometimes (like 1 in 5) the alert section does not disploay the real name, but just displays nul
Configured Burp extension session handling is not loaded: null

although the corresponding method just returns a constant string.

The constructor of the SessionHandlingAction just does this:
this.callbacks = callback;

I need the callback for later processing.

Jan Oetting May 16, 2017 05:51AM UTC
Hi Dafydd,

one additional info could be important:
At the beginning I need to do a login. For some reasons related to cookie management I cannot hardcode the necessary calls but use a makro and call my postprocessing with session management rules.
I use the "workaround" that you decribed somewhere else and call a defined URL that triggers the makro.

Maybe this is really a bad workaround and causes the problems?

I basically need the makro because of the powerful Cookie.Jar
In the API of "getCookieJarContents" it is document we should only get and update the Cookie.jar with Extension of ISessionHandlingAction.
If I could extract the cookies via API from my initialisation phase maybe I could get around the makro. A first test shows, I only get a empty cookie list.

Do you have a recommendation for me how to handle my automated login?


Dafydd Stuttard May 16, 2017 07:57AM UTC Support Center agent

Thanks for the further detail. We’ll investigate this further and try to reproduce the problem you observed.

Regarding getCookieJarContents() and updateCookieJar(), you can call these from anywhere in your code. There is no restriction to only calling them from within session handling actions – that is just mentioned in the documentation as an example of a common use case.


Jan Oetting May 17, 2017 01:16PM UTC
Hi Dafydd,

thanks for the info.
I now could workaround the issue.
Thanks to direct access to the cookieJar I don't need the makros anymore.
So there is currently no urgent problem.

This is also better for code sharing with team colleagues.
The makros are in huge persistence files and I cannot export them as configuration file.
This could be something for improvement.

Dafydd Stuttard May 17, 2017 03:47PM UTC Support Center agent

Glad you got things working.

It should be possible to create a simple configuration file containing your macros. Go to the macros options, click the “gear” button, and select “save options”. This will create a JSON-based config files for just the macro options, which can easily be shared and loaded into another instance of Burp.


Mike Smith May 30, 2017 01:29PM UTC Support Center agent

Hi Jan

We’ve been investigating the issue with the extension-provided session rule not loading and, as far as we can see, Burp is operating correctly.

When the Burp session rule is created the extension-provided rule name is stored. Every time the session rule is triggered it looks up the rule from the name. If the extension is loaded, its rule will be associated with that name and the rule will run.

When Burp starts up it can take a considerable period of time for all the extensions to load, especially if there are a lot of python or ruby extensions. If the session rule is triggered during this time and your extension has not yet loaded, the rule will not run and you will see the alert.

As soon as your extension has loaded, its session rule will be registered and it will run the next time the session rule is triggered. There is no need to remove or re-add the session rule or restart Burp.

Hope that helps.


Post Your public answer

Your name
Your email address
Answer