Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Burp Session Handling Rules not Applied to Proxy

D. Jul 10, 2019 10:27AM UTC

I have a macro that grabs a token value of the parameter named xxx from one HTTP response such as:
/campaign/a\">Details</a>\n<form class=\"column-buttons\" action=\"/manage/campaign/delete\" method=\"POST\">\n <input type='hidden' name='xxx' value='yyy'

In the session handling rules, I have made it to run a macro and made it applicable to repeater and proxy. In repeater, when I press Go a few times and the token gets updated.
However, when runnng SQLmap via Burp, the token is not updated. I have also tried manually to click on the function but the token is not from the macro but from the original page.

I am using Windows 10, tried with Burp 2.1 and v2.0.13beta, Pro edition for both.


D. Jul 10, 2019 10:48AM UTC
Just an update, using Session handling tracer shows that the parameter in the HTTP request is indeed updated. However, in my Proxy tab, the parameter in the HTTP request is not updated.

Liam Tai-Hogan Jul 10, 2019 01:24PM UTC Support Center agent

SQLmap is a Burp extension.

Have you checked the Extender box in the Session handling rule editor > Scope > Tool Scope?


D. Jul 11, 2019 01:31AM UTC
I am not using the burp extension. I am using SQLmap on its own and specifying proxy there to go through burp. Checked extender box but to no avail as well.

D. Jul 11, 2019 01:41AM UTC
I have also removed all extensions in case they were interfering with the requests in the proxy.
My host is a IP, I'd initially thought maybe the scope for session handling is not able to detect IP addresses and so I mapped a hostname to the IP in my hosts file.
All these still did not work for me. The fact I can see in the session handling tracer and not in proxy is a sign that there should be a bug unless there are some settings I am not aware of.

D. Jul 11, 2019 12:28PM UTC
I still have no luck on it. I can send screenshots, let me know how should I go about doing it.

Rose Krawczuk Jul 15, 2019 07:07AM UTC Support Center agent

Sorry for the delay in responding. Have you tried using the SQLiPy Sqlmap Integration Extension in the BApp Store? If not, could you try using this or tell us why this wouldn’t work for you?


D. Jul 16, 2019 02:15AM UTC
I avoided using the extension as I am under the impression I wouldn't be using the latest SQLmap version as it is slower than the actual development. I will give it a shot but I still think the core problem should be fixed as this is just a mitigation.

D. Jul 16, 2019 02:23AM UTC
Okay the extension is not working out for me. It has been about 7 days, please let me know where can I send screenshots or debug messages to help with fixing this issue.

Liam Tai-Hogan Jul 17, 2019 09:43AM UTC Support Center agent

What issues did you have with the extension? Did you check out our tutorial page?

- https://support.portswigger.net/customer/portal/articles/2791040-using-burp-with-sqlmap

You can send screenshots or debug messages to support@portswigger.net.


Post Your public answer

Your name
Your email address
Answer