Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All
Documentation

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite
Extensibility

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility
Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Update Header in Session Handling/Macros

Conor Walsh Jan 05, 2016 06:51PM UTC

Hello,

I'm working on an application that uses CSRF token for the login forms. The token is a hidden value in the webpage:

E.g. <input name="CSRFToken" type="hidden" value="ZIlN2m8eqXX4mWOJr3wkNLGeobE2oUqGBaeKpYWaJe1yK7oQKRx8H2A-8X6rqiMIM7nQNwGPI1uryEA-3wWh5iii_kbq-Pkfp-z9uR5eGnxRCOkE0" />

The token is then applied to the subsequent login as an HTML Header:

...
Content-Type: application/json; charset=utf-8
CSRFToken: 0f5K-xylZwaz3jY4hVfMleNQ22Plbd0GD5kW3980JxANf_qG77kKW0FHtrOkRjdNGdhjF4tjQyAOppeZB8IgpuWqJJsK12xuzlFE3oS_mYITKeUI0
X-Requested-With: XMLHttpRequest
...

And following a valid login, you receive a session cookie.


Currently, from what I understand, the session handling and macros only apply to cookies and parameters. Would it be possible to have these rules apply to other areas of the request?

I'm currently attempting to write an Extension to handle this functionality, but it seems viable enough to be a stock option.

Thanks,
Conor


Dafydd Stuttard Jan 06, 2016 09:27AM UTC Support Center agent

Currently, Burp’s native session handling rules don’t operate on request headers. We do have this feature request captured in our backlog, but we can’t currently promise an ETA for the feature, sorry.


Conor Jan 06, 2016 04:49PM UTC
Understandable. I was able to write the extension code quite easily, but I've run into another hurdle imposed by this, wondering if you can think of any solutions.

So, I can retrieve the above value from the macro Response, and add it to a headers array. The issue, is that the request requiring the header is not in the list of requests handed to "performAction()". i.e.:

currentRequest: the request in the Scanner queue that "failed session validity"
macroItems[0]: the request used to grab CSRF token

I need to append the CSRF token to a third request, along with a username and password to authenticate, and subsequently update the cookiejar with a valid session token.

How can I access a "stored" request to modify then send to authenticate? The best solution I see would be if Extensions can access macro requests without them having to be initially sent.

Options I can see:

1. Static request stored in extension code:
Bad, as I don't want to have to edit the code, then reload the extension everytime I need to change something
2. Send login request macro before running extension:
Solves my problem, but more expensive than I like, as I don't actually need to send this request yet
3. Code text/request input into my extension:
Time consuming, this tool is just for me and a coworker, don't need to waste time on pretty UI code
4. Send request tooltip:
Is it possible to add a drop down option to "Send Request to MyExtension" like you do Repeater/Intruder?


I'll probably go with option 2 if all else fails, but I want to see if you have any better ideas.

Thanks!


Dafydd Stuttard Jan 07, 2016 09:52AM UTC Support Center agent

Ideally, as you say, you would include the authentication request within the macro and your extension would be able to modify the macro request before it is sent. One way to possibly achieve this would be to register an IHttpListener, which will give your code access to all requests made by all tools. You could use this to track the latest token observed in a response, and to update the relevant header with this value in relevant requests. This approach might mean that you just need to execute your recovery macro when the session is invalid, and let your IHttpListener fix the header when the macro is run. Then you might not need the custom session handling action at all.

Regarding “Send to my extension” items on the context menu, you can do this by registering an IContextMenuFactory. Burp will call into your extension when the context menu is invoked, with details of the invocation event, and you can return any context menu items that are applicable for that invocation:

https://portswigger.net/burp/extender/api/burp/IContextMenuFactory.html

Hope that helps.


Wouter Jun 05, 2018 11:11AM UTC
Any progress on this feature request? I know header manipulation can be done with a plugin, but I think this should be default functionality to make life easier :) Searching google shows this question has been requested several times over the years, for example: https://support.portswigger.net/customer/portal/questions/11698880-how-do-i-change-a-http-header-value-for-active-scan-with-stored-state-file-.

Sruthi Dec 07, 2018 09:49AM UTC
@Wouter, could you specify which plugin do you use to make this happen? I tried different extensions and none are working fine for me.
Add custom header finally worked when the request did not have the x-csrf header at all.
for the requests where the header was present, it was not deleting and adding the new value.

Post Your public answer

Your name
Your email address
Answer