Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Macro - Clear Cookie Jar

Laurent | Last updated: Jun 07, 2017 09:50AM UTC

Hello, I would like a feature in Macro; the ability to clear the cookie jar. I have tested a WAF that sets several cookies (with a name that is NOT constant) and being able to clear the cookie jar would be very helpful. (In another case, I tested a web app that added a new cookie in every 10 requests, with the format cookie_name_{12 alphanum char}. This meant that, after 100ish requests, the browser would issue requests that are too big and be rejected by the server. I doubt this case was reached via normal browsing, but it was reached easiliy when scanning the system). Thank you

PortSwigger Agent | Last updated: Jun 07, 2017 09:52AM UTC

There isn't a built-in mechanism, but you could write a simple extension to do this. The extension would implement the ISessionHandlingAction interface, call getCookieJarContents(), iterate through, set value to null, and call updateCookieJar(). Please let us know if you need any further assistance.

Burp User | Last updated: Apr 03, 2019 05:24PM UTC

How does one go about performing the following in a Python extension? Can I get explicit code? I cannot seem to instantiate a ICookie object. The extension would implement the ISessionHandlingAction interface, call getCookieJarContents(), iterate through, set value to null, and call updateCookieJar().

Burp User | Last updated: Apr 03, 2019 05:44PM UTC

That didn't take long... took the following from https://github.com/bao7uo/waf-cookie-fetcher/blob/master/waf-cookie-fetcher.py class Cookie(ICookie): def getDomain(self): return self.cookie_domain def getPath(self): return self.cookie_path def getExpiration(self): return self.cookie_expiration def getName(self): return self.cookie_name def getValue(self): return self.cookie_value def __init__(self, cookie_domain=None, cookie_name=None, cookie_value=None, cookie_path=None, cookie_expiration=None): self.cookie_domain = cookie_domain self.cookie_name = cookie_name self.cookie_value = cookie_value self.cookie_path = cookie_path self.cookie_expiration = cookie_expiration Then use the following to nuke every cookie... cookies = self.callbacks.getCookieJarContents(): for cookie in cookies: new_cookie = Cookie(cookie.getDomain(), cookie.getName(), None, cookie.getPath(), cookie.getExpiration()) self.callbacks.updateCookieJar(new_cookie)

Liam, PortSwigger Agent | Last updated: Apr 04, 2019 12:45PM UTC

Thanks for the update Ryan. Please let us know if you need any further assistance.

Vinay | Last updated: Aug 12, 2021 08:35AM UTC

Hi Team, I'm now having the requirement to clear the Burp Cookie Jar. Can you please provide the working python code or other possibilities to clear the cookie jar when using session handling rules? Thanks

Hannah, PortSwigger Agent | Last updated: Aug 12, 2021 09:06AM UTC

Hi Vinay Did you try the code that the previous user provided?

Vinay | Last updated: Aug 15, 2021 02:01PM UTC

Hi Hannah, Yes, I have tried to load the .py file on the Burp Suite Professional v2021.8.1 but it got errors while loading. Could you share the working code? Thanks

Hannah, PortSwigger Agent | Last updated: Aug 16, 2021 12:00PM UTC

Hi Vinay I've put together the code from the previous user for you. You can find it here: https://github.com/HannahLaw-Portswigger/DeleteCookies

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.