Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Scanning doesnt stop when the session is invalid

Syed | Last updated: Jun 27, 2019 12:38PM UTC

How can I stop the scanning when the session has expired. My requirement is that, the scanning should stop as soon as the response has an invalid session and must continue only once it gets a valid session. How, can I achieve this ?

Liam, PortSwigger Agent | Last updated: Jun 27, 2019 01:48PM UTC

Syed, which version of Burp are you using? In Burp 2, this functionality is automated. Burp will try to log back in to the application and will inform you if it has been unsuccessful.

Burp User | Last updated: Jun 27, 2019 02:15PM UTC

I am using this version: Professional 2.0.25beta

Liam, PortSwigger Agent | Last updated: Jun 27, 2019 02:16PM UTC

How do you know the session has become invalid? Is Burp attempting to log back in to the application? Do you see any errors in the Event log?

Burp User | Last updated: Jun 27, 2019 02:21PM UTC

I am using 'Flow' burp extender, which shows the requests and the responses that are currently being fired via scanner In the response, I see this: acct/login.phtml?.loggingout=1 This is shown when the session is not active anymore

Burp User | Last updated: Jun 27, 2019 02:25PM UTC

No burp doesnt try to login back, the burp just continues the scanning using the stored target scope requests which now have invalid session No, I dont see anything in the Event Log

Liam, PortSwigger Agent | Last updated: Jun 27, 2019 02:28PM UTC

Syed, thanks for the additional information. Could you email us (support@portswigger.net) screenshots of the requests and responses you have detailed and your Application Login settings?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.