Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Dynamic custom parameter name

Andrej | Last updated: Mar 12, 2018 02:43PM UTC

Hi, As per session management/macros, I know I can use "Define custom parameter" to obtain value to specific parameter with static name (e.g. "name"). However, consider a dynamic parameter name. For example, upon requesting the login page, I get "name1234" parameter (notice the counter/nonce appended to the name of the parameter). Upon requesting the login page again, I get "name1235" as a different parameter name. I want to dynamically change the name of the parameter as part of the session management, so that I could define and change this parameter automatically. I'm not aware this being possible at the moment, since in the "Define custom parameter" the name of the parameter needs to be static to obtain some value. Many thanks, Andrej

PortSwigger Agent | Last updated: Mar 12, 2018 04:23PM UTC

Hi Andrej, Thanks for your message. As you mention, this is not possible with the current session handling rules. A few people have requested this and it is on the development plan. However, it will probably not be looked at until we do a more major review of session handling rules, which is likely to be some time away. In the meantime, the Custom Parameter Handler extension allows some more unusual scenarios to be handled, but writing a custom extension is the only assured approach. Please let us know if you need any further assistance.

Burp User | Last updated: Feb 07, 2020 08:41AM UTC

Hi Burp-Team, I am currently facing a similar situation as Paul, though not exactly the same: In this case the application uses a parameter, whose name and value look like hashes. While the name stays constant for the duration of the session, the value does not. So the best I could probably get out of this, is finding a way to keep the session alive (the app has pretty weird session handling). I would then update my macro on every login to derive the parameter with the matching name and theoretically be good for as long as the session lasts. Is there any update on the mentioned "major review of session handling rules"? As webapps are gaining in complexity (at least from my observation), session handling rules become more and more important.

Ben, PortSwigger Agent | Last updated: Feb 10, 2020 08:49AM UTC

Hi, The introduction of browser-driven scanning and recorded login sequences are both on our 2020 roadmap and both should improve Burp's native ability to handle sessions. You can find more information on the following page: https://portswigger.net/blog/burp-suite-roadmap-for-2020

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.