Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Compare site maps with different Cookies

Christian | Last updated: Aug 28, 2017 06:16PM UTC

I have an application with Basic Authentication as login. If access is granted, the user is tracked by cookie (PHPSESSID). The application was spidered and scanned as admin user. Now I want to compare the site map with one from another user (less privileges). Since it is not useful to do all the spidering again (could be that some URL is missing), I want to compare this saved site map (admin user) and just use another the cookie from the other user. But I do not see any options how this could be done. Changed "Project Options" > "Platform Authentication" and "User Options" > "Platform Authentication" to the Basic Auth for the second user. But all requests in "Compare site map" > "Site Map 2" > Request map 1 again in a different session" are done as admin. How can this be done? Thanks.

PortSwigger Agent | Last updated: Aug 29, 2017 09:23AM UTC

Hi Christian, Thanks for your message. It sounds like the Site map 2 is being requested with the PHPSESSID from your original spider. To do this with the non-admin user: 1) Project options > Sessions > Use cookie's from Burp's cookie jar > Edit > Scope - check the Target tool. 2) Using your Browser, login to the target as the second user. Burp Proxy will detect the new PHPSESSID and save it the cookie jar. This should work. I've not actually dealt with an app that mixes basic authentication and cookie like you mention. If you encounter any further problems, just get back in touch.

Burp User | Last updated: Apr 17, 2018 02:03PM UTC

I have the same problem. The cookie JAR sees the new cookies, but when comparing it uses the admin's cookies - not the ones from the JAR. I am using the free edition.

PortSwigger Agent | Last updated: Apr 17, 2018 02:05PM UTC

Hi Leo, Please try changing the scope of the session rule. Go into Project options > Sessions > Use cookie's from Burp's cookie jar > Edit > Scope and check the Target tool.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.