Update Header in Session Handling/Macros
I'm working on an application that uses CSRF token for the login forms. The token is a hidden value in the webpage:
E.g. <input name="CSRFToken" type="hidden" value="ZIlN2m8eqXX4mWOJr3wkNLGeobE2oUqGBaeKpYWaJe1yK7oQKRx8H2A-8X6rqiMIM7nQNwGPI1uryEA-3wWh5iii_kbq-Pkfp-z9uR5eGnxRCOkE0" />
The token is then applied to the subsequent login as an HTML Header:
Content-Type: application/json; charset=utf-8
And following a valid login, you receive a session cookie.
Currently, from what I understand, the session handling and macros only apply to cookies and parameters. Would it be possible to have these rules apply to other areas of the request?
I'm currently attempting to write an Extension to handle this functionality, but it seems viable enough to be a stock option.
Currently, Burp’s native session handling rules don’t operate on request headers. We do have this feature request captured in our backlog, but we can’t currently promise an ETA for the feature, sorry.
So, I can retrieve the above value from the macro Response, and add it to a headers array. The issue, is that the request requiring the header is not in the list of requests handed to "performAction()". i.e.:
currentRequest: the request in the Scanner queue that "failed session validity"
macroItems: the request used to grab CSRF token
I need to append the CSRF token to a third request, along with a username and password to authenticate, and subsequently update the cookiejar with a valid session token.
How can I access a "stored" request to modify then send to authenticate? The best solution I see would be if Extensions can access macro requests without them having to be initially sent.
Options I can see:
1. Static request stored in extension code:
Bad, as I don't want to have to edit the code, then reload the extension everytime I need to change something
2. Send login request macro before running extension:
Solves my problem, but more expensive than I like, as I don't actually need to send this request yet
3. Code text/request input into my extension:
Time consuming, this tool is just for me and a coworker, don't need to waste time on pretty UI code
4. Send request tooltip:
Is it possible to add a drop down option to "Send Request to MyExtension" like you do Repeater/Intruder?
I'll probably go with option 2 if all else fails, but I want to see if you have any better ideas.
Ideally, as you say, you would include the authentication request within the macro and your extension would be able to modify the macro request before it is sent. One way to possibly achieve this would be to register an IHttpListener, which will give your code access to all requests made by all tools. You could use this to track the latest token observed in a response, and to update the relevant header with this value in relevant requests. This approach might mean that you just need to execute your recovery macro when the session is invalid, and let your IHttpListener fix the header when the macro is run. Then you might not need the custom session handling action at all.
Regarding “Send to my extension” items on the context menu, you can do this by registering an IContextMenuFactory. Burp will call into your extension when the context menu is invoked, with details of the invocation event, and you can return any context menu items that are applicable for that invocation:
Hope that helps.
Add custom header finally worked when the request did not have the x-csrf header at all.
for the requests where the header was present, it was not deleting and adding the new value.