Emptying cookie jar with new session
When I have a name of the cookie which is changing with different sessions (cookie name is dynamic as well), Burp stores each new name in the cookie jar and then sends it within the requests.
Within a session management, it would be great to have a checkbox. When the session is deemed invalid, Burp would clear the entire cookie jar. In such a case, all the new cookies would be valid (since the session management is performed afterwards) and there wouldn't be problems with dynamic values and having many different session cookies sent in the same time.
I agree, this would be a useful feature. We will look at including this when we next work on Session Handling Rules.
In the meantime, you can use the WAF Cookie Fetcher extension. This provides a Session Handling Action to empty the cookie jar. To use it, in the session handling action editor, select “After running the macro, invoke a Burp extension action handler” then choose “Empty cookie jar”
Let me know how you get on.
However, if I understand it correctly, when I would empty cookie jar *after* the session management macro, I would then loose all the session cookies. My use-case would need to do this action after out-of-session is detected, but before new session is triggered.
I don’t if you tried this. If not, it would be worth trying, as it may work. Failing that, you would need to code a custom extension. It shouldn’t be particularly difficult though. You could analyze the macro response using IExtensionHelpers.analyzeResponse and get all the parameter names that are cookies. You could then delete everything else from the cookie jar.
Please let us know if you need any further assistance.
Michael, what issues are you having with the WAF Cookie Fetcher? Have you updated to the latest version of Burp?
I just verified that the delete cookie function still works in Burp:- https://gist.github.com/pajswigger/1d528a8745c7427adabd5cd1eb21cb56
I’ve mentioned the issue to the extension author but not heard back beyond his original holding reply.