Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

How do i prevent cookie ID injections in the request parameter?

Shalini | Last updated: May 11, 2018 04:48AM UTC

I have a case where we recorded a bunch of URL's and re-scanning them. During the re-scan the session expired. So to create an active session i have created a session handling rule to trigger login and create a new Session ID which is updated in the cookie jar. I also used the 'use Cookie jar from Burp's cookie jar' to ensure the rest of the requests are using the valid Session id . Until now all is working well but during the scan i have observed that few requests are having a JSESSIONID parameter with an invalid session ID in the cookie and the response for this request is the server is setting the new session ID.I don't want the Session ID injection, only need the Request header to be updated with JSESSION ID cookie on session expiry. I came across this post https://support.portswigger.net/customer/portal/questions/17285725-don-t-allow-set-cookie-to-add-cookies-to-requests but i need to cookie jar to ensure a valid session id exists . How do i prevent this from getting injected in the request parameter but only use as part of request header cookie?.

PortSwigger Agent | Last updated: May 11, 2018 01:04PM UTC

Hi Shalini, Thanks for your message. We're struggling a little bit to understand exactly the issue you're facing. Could you please send us: 1) The configuration of the session handling rule you've created 2) An example of a request that contains a JSESSIONID parameter that is unwanted. If you could also include a valid request, that would be helpful. Please let us know if you need any further assistance.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.