Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Handling Multi-Staged Logins for Scan with Burp

Joshua | Last updated: Jul 09, 2015 06:23PM UTC

I am trying to automate the login process and validation of successful login via Burp Session Handling/Macros. This login requires an initial POST that includes the username/password, then, in the response to the initial POST, it asks the user to answer one of four different secondary questions (favorite color, city you live in, etc.), which you answer and send back in the second POST to complete the login process. I am struggling to find a way in Burp to have it look at the initial POST response to see which answer it should provide an answer to, and based on which question is asked provide the correct response in the second POST. Any suggestions on how to handle that type of two-stage authentication? Thanks!

PortSwigger Agent | Last updated: Jul 10, 2015 08:17AM UTC

You will probably need to use an extension to handle this situation, but this should be pretty easy. Your extension needs to register a custom session handling action, and in your code you'll need to identify what question has been asked and what modification should be made to the next request to submit the right value. You can then create a regular session handling rule that runs the login macro up to the point where the changing question is asked. Then your rule needs to call into your extension, which will receive the macro requests/responses, and be able to perform the necessary next request to complete the login.

Burp User | Last updated: Jul 14, 2015 01:37AM UTC

Hi Dafydd, Thanks for the reply. I think I understand what you are saying and have coded up a solution that is pretty close. However, I am having a hard time figuring out the best way to take the body parameters in the response from the last macro request and put that information into my request that is not in the macro but in the extension. I have looked at the best way to parse that request (and I should say that I am a Java noob) and I see a lot of references to jsoup and JTidy. How would you suggest parsing that response from the macro into variables that I can later use to construct my custom response in the extension? Almost every link I have searched for is an external library (which I don't think would work in a Burp extension anyway) and the native ways I have found on stack overflow have been pretty bloated (at least from my point of view). Thanks for any direction!

PortSwigger Agent | Last updated: Jul 14, 2015 07:57AM UTC

There are various helper methods in the Burp Extender that you can use for analyzing and manipulating requests: - Use IBurpExtenderCallbacks.getHelpers() to obtain an IExtensionHelpers object. - Use IExtensionHelpers.analyzeRequest() to analyze a request and obtain an IRequestInfo object that can provide headers/parameters etc for a request. - Use IExtensionHelpers.updateParameter() to update a parameter value in a request. In general, have a good read of the Javadoc for the above and associated APIs: https://portswigger.net/burp/extender/api/index.html

PortSwigger Agent | Last updated: Jul 14, 2015 08:04AM UTC

You might need to construct your own object that implements ICookie and give it all the required details that Burp is expecting to receive from the getter methods. When you call a Burp API that takes an interface type as a parameter, in general there is no requirement to supply an object that was originally created by Burp - you can supply your own implementation. I would have thought that requests you make via the callback method makeHttpRequest() would update the cookie jar if you have checked the Extender box at Options / Cookie Jar. Do you believe this was not happening? You can use the sessions tracer to monitor everything that goes on when your requests are being processed.

Burp User | Last updated: Jul 15, 2015 08:50PM UTC

OK, one last hurdle to get this working I believe. When I try to add the cookies received in my custom response to the cookie jar, it fails. Specifically, the error I get when trying to add cookes to the cookie jar is: Exception parsing cookies: java.lang.NullPointerException: Domain cannot be null Since there are no setter methods for the ICookie objects, I didn't know how to set the domain properly. What is the proper way to set the Domain cookie value for an ICookie object? Here is the code where I am parsing and trying to add the cookies to the cookie jar for reference: IResponseInfo response_custom = _currentHelpers.analyzeResponse(_currentCallbacks.makeHttpRequest(“domain.com”, 443, true, post_request_01.getBytes())); List<ICookie> response_custom_cookies = response_custom.getCookies(); for (int j = 0;j < response_custom_cookies.size();j++) { try { stdout.printf("Cookie name is: %s\n", response_custom_cookies.get(j).getName()); stdout.printf("Cookie value is: %s\n", response_custom_cookies.get(j).getValue()); stdout.printf("Cookie domain is: %s\n", response_custom_cookies.get(j).getDomain()); stdout.printf("Cookie expiration is: %s\n", response_custom_cookies.get(j).getExpiration()); _currentCallbacks.updateCookieJar(response_custom_cookies.get(j)); } catch (Exception e) { stdout.printf("Exception parsing cookies: %s\n", e); stdout.printf("Cookie name with issue is: %s\n", response_custom_cookies.get(j).getName()); } } Thanks!

Burp User | Last updated: Jul 16, 2015 04:13AM UTC

I should have also mentioned that I made sure that Extender was using the cookie jar and the scope was properly set on the session handling rule. I thought having Extender using the cookie jar would have solved this on the fly, but that hasn't been my experience. Thank you!

Burp User | Last updated: Jul 16, 2015 03:00PM UTC

Hi Dafydd, I believe the issue is related to this phrase from ICookie.java: * For cookies that have been analyzed from responses (by calling * <code>IExtensionHelpers.analyzeResponse()</code> and then * <code>IResponseInfo.getCookies()</code>, the domain will be * <code>null</code> if the response did not explicitly set a domain * attribute for the cookie. So .getDomain() was returning a null value which broke the .updateCookieJar() method. A coworker helped me write a quick override class to force in the value we wanted for the domain and things are working correctly now. Just out of curiosity, any reason there is not a setter method in the ICookie class? I am too new to Java to know if that is a bad idea, sorry. Thank you for the help, have a good rest of your week!

PortSwigger Agent | Last updated: Jul 17, 2015 07:35AM UTC

Yes, that sounds like what was going on. The reason that ICookie doesn't have any setters is that in its normal usage it is used for value objects that are defined at creation and don't change. In general, for data/value objects, immutability is a good thing and helps avoid all kinds of bugs. For cases like this, good practice is to make your value objects immutable and in the situations where you need a different value to create a new object (partially cloned from the original). All rules of thumb like this have exceptions, and you often need to judge the best approach based on the ways in which an object will be used. It should involve minimal overhead for your extension to create a new object that implements ICookie with the values that you need.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.