Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Emptying cookie jar with new session

Andrej Simko May 23, 2018 02:23PM UTC

When I have a name of the cookie which is changing with different sessions (cookie name is dynamic as well), Burp stores each new name in the cookie jar and then sends it within the requests.

Within a session management, it would be great to have a checkbox. When the session is deemed invalid, Burp would clear the entire cookie jar. In such a case, all the new cookies would be valid (since the session management is performed afterwards) and there wouldn't be problems with dynamic values and having many different session cookies sent in the same time.
Thanks,
Andrej


Paul Johnston May 24, 2018 09:24AM UTC Support Center agent

Hi Andrej,

I agree, this would be a useful feature. We will look at including this when we next work on Session Handling Rules.

In the meantime, you can use the WAF Cookie Fetcher extension. This provides a Session Handling Action to empty the cookie jar. To use it, in the session handling action editor, select “After running the macro, invoke a Burp extension action handler” then choose “Empty cookie jar”

Let me know how you get on.


Andrej Simko May 25, 2018 01:53PM UTC
Thank you Paul, I was not aware of such extension.
However, if I understand it correctly, when I would empty cookie jar *after* the session management macro, I would then loose all the session cookies. My use-case would need to do this action after out-of-session is detected, but before new session is triggered.
Thanks again,
Andrej

Paul Johnston May 29, 2018 09:20AM UTC Support Center agent

Hi Andrej,

I don’t if you tried this. If not, it would be worth trying, as it may work. Failing that, you would need to code a custom extension. It shouldn’t be particularly difficult though. You could analyze the macro response using IExtensionHelpers.analyzeResponse and get all the parameter names that are cookies. You could then delete everything else from the cookie jar.

Please let us know if you need any further assistance.


Michael Mar 28, 2019 08:12PM UTC
The WAF Cookie Fetcher no longer works. What are the methods we can use to delete cookies from the cookie jar? I'm not able to find a method to remove a cookie from a cookie jar or even a method to update a cookie.

Liam Tai-Hogan Apr 16, 2019 10:42AM UTC Support Center agent

Michael, what issues are you having with the WAF Cookie Fetcher? Have you updated to the latest version of Burp?


Michael Apr 17, 2019 06:27PM UTC
I'm using version 1.7.21. This is the issue https://github.com/bao7uo/waf-cookie-fetcher/issues/6

Paul Johnston Apr 18, 2019 10:45AM UTC Support Center agent

I just verified that the delete cookie function still works in Burp:

- https://gist.github.com/pajswigger/1d528a8745c7427adabd5cd1eb21cb56

I’ve mentioned the issue to the extension author but not heard back beyond his original holding reply.


Post Your public answer

Your name
Your email address
Answer