![]() ![]() By default, it monitors "Proxy" and "Spider" tools. We will look into Cookie jar first because, even if you don't define any custom session handling rule/macro, this plays an important role in keeping your session active.Īs the name suggests, this stores all the cookies issued by all the web applications you visited (obviously, in the browser where Burp is the proxy or through Burp tools).īurp lets the user select which of the burp's tool traffic to monitor and, based on the selection, it updates the cookie jar with any newly set cookies. We will look at all the three options in detail, later on followed by an example. Burp now provides three important configuration options to help you troubleshoot your sessions and state. ![]() With Burp v1.4, Burp introduced new module called "Sessions" to give you the control to oversee the application's session handling with Burp. Please Login" and all the hard work spent crawling the application was in vain. While using Burp for web application active scanning, there may be a whole lot of requests pending in the "Active Scan Queue" but do all of these requests contain the active "Sessionid"? From where does Burp pick up the latest session information? I have often pondered these questions while looking at the big "Scan Queue" and wondered if all these requests were sent successfully to the server or if the response was "Session Expired. The web application might terminate your session based on timeout conditions or other reasons and all the subsequent requests made to the server are invalidated. But these measures also work against the person doing penetration testing on these web applications because maintaining an active session for the multiple requests sent to the server becomes difficult.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |