Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Extension for session handling not loaded

Jan | Last updated: May 12, 2017 09:37AM UTC

Hi, I use Extensions together with Makros and Makro-Postprocessing Extensions (for Session Management und Relogin). Generell the concept works. From time to time (every other our) I get alerts ("Configured Burp extension session handling is not loaded: ...") To fix this, I currently reconfigure the Session handling rule to remove the extension action handler, restarts burp, add the session handler again and restart again. This is quite annoying. I don't understand the reason while the session handling is not loaded, currently not. Maybe there is some problem during loading, an exception is thrown or something. Could somebody tell, what method to look, what Exception to catch, to fix this problem? Kind Regards Jan

PortSwigger Agent | Last updated: May 15, 2017 10:18AM UTC

Thanks for this report. When this problem occurs, is your extension still loaded correctly? So the only problem is that the configured session handling rule has lost its association with the extension-provided action? Or has the extension itself failed to load for some reason?

Burp User | Last updated: May 15, 2017 08:11PM UTC

Hi Dafydd, The extension itself is there and works (but without the sessionhandling not really useful) I start the extension from my IDE (Eclipse). Only the association is lost in a bad way. In the alert section I got the info, that there is the problem, but I don't see any exception/message related to the root cause.

Burp User | Last updated: May 16, 2017 05:13AM UTC

One additional info: sometimes (like 1 in 5) the alert section does not disploay the real name, but just displays nul Configured Burp extension session handling is not loaded: null although the corresponding method just returns a constant string. The constructor of the SessionHandlingAction just does this: this.callbacks = callback; I need the callback for later processing.

Burp User | Last updated: May 16, 2017 05:51AM UTC

Hi Dafydd, one additional info could be important: At the beginning I need to do a login. For some reasons related to cookie management I cannot hardcode the necessary calls but use a makro and call my postprocessing with session management rules. I use the "workaround" that you decribed somewhere else and call a defined URL that triggers the makro. Maybe this is really a bad workaround and causes the problems? I basically need the makro because of the powerful Cookie.Jar In the API of "getCookieJarContents" it is document we should only get and update the Cookie.jar with Extension of ISessionHandlingAction. If I could extract the cookies via API from my initialisation phase maybe I could get around the makro. A first test shows, I only get a empty cookie list. Do you have a recommendation for me how to handle my automated login?

PortSwigger Agent | Last updated: May 16, 2017 07:51AM UTC

Thanks for the further detail. We'll investigate this further and try to reproduce the problem you observed. Regarding getCookieJarContents() and updateCookieJar(), you can call these from anywhere in your code. There is no restriction to only calling them from within session handling actions - that is just mentioned in the documentation as an example of a common use case.

Burp User | Last updated: May 17, 2017 01:16PM UTC

Hi Dafydd, thanks for the info. I now could workaround the issue. Thanks to direct access to the cookieJar I don't need the makros anymore. So there is currently no urgent problem. This is also better for code sharing with team colleagues. The makros are in huge persistence files and I cannot export them as configuration file. This could be something for improvement.

PortSwigger Agent | Last updated: May 17, 2017 03:45PM UTC

Glad you got things working. It should be possible to create a simple configuration file containing your macros. Go to the macros options, click the "gear" button, and select "save options". This will create a JSON-based config files for just the macro options, which can easily be shared and loaded into another instance of Burp.

Mike, PortSwigger Agent | Last updated: May 25, 2017 12:54PM UTC

Hi Jan We've been investigating the issue with the extension-provided session rule not loading and, as far as we can see, Burp is operating correctly. When the Burp session rule is created the extension-provided rule name is stored. Every time the session rule is triggered it looks up the rule from the name. If the extension is loaded, its rule will be associated with that name and the rule will run. When Burp starts up it can take a considerable period of time for all the extensions to load, especially if there are a lot of python or ruby extensions. If the session rule is triggered during this time and your extension has not yet loaded, the rule will not run and you will see the alert. As soon as your extension has loaded, its session rule will be registered and it will run the next time the session rule is triggered. There is no need to remove or re-add the session rule or restart Burp. Hope that helps.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.