Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Java ViewState SSO burp scanner

chrom | Last updated: May 12, 2016 12:51PM UTC

Hello, I am facing an issue related to session handling while scanning an application. Specifically, the scanner uses an old viewState value that inherits from the spider session that results in de-authentication of the client. The application login is SSO and uses SAMLRequests for initial session creation: 1. Go to login page (A) and post the credentials. 2. The server verifies the validity of the credentials and provides a SAMLResponse string. 3. POST the SAMLResponse (that got from step 2) to page where the actual application is (B). 4. Application B Sets a JSESSIONID cookie and then the client uses this to communicate with the application Any ideas on what to do to scan the application successfully?

PortSwigger Agent | Last updated: May 13, 2016 08:27AM UTC

Are you able to use Burp's session handling rules to ensure your session is valid? You'll need to create a macro that performs the login sequence from a clean/new session, and obtain the required cookie and any other parameter values (such as the viewState) that are needed to make a valid "attack" request. If you can get a macro working to do this, you can then make a session handling rule to run the macro before each Scanner request to relevant URLs.

Burp User | Last updated: May 16, 2016 10:05PM UTC

Thanks for your response. This is what I am trying to do the last day without much success though. I will let you know once I do it (or not:).

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.