We often face the situation when
multiple testers are supposed to test the same application in BURP (single
installation) and we are unsure of how the session cookies will behave. Which
tester's cookie will the BURP tool use for subsequent requests made to the
server? After creating the site-map, the testers might not initiate the scan
immediately. So what happens when all the session being used for creating the
sitemap expires?
Test creds to use
First of all, BURP is not capable of
finding issues related to privilege escalation, so all the testers should be
using the only the admin credentials for testing to achieve maximum application
coverage.
Setting the shared
environment
Second, to set up shared BURP
environment, do the following settings –
The IP should be the IP of the
machine where BURP is installed.
Dealing with
session cookies
Finally, for tackling the session
issues -
- There is a cookie jar plugin in BURP that internally tracks all the cookies being used for an application, captures the latest cookie being used for that application and while active scans use the latest cookie captured by the proxy. For configuring the cookie jar: it is enabled by default but to double check please make sure the following boxes are checked –
- When these configurations are in place, BURP will automatically record the latest cookie for the target domain as captured in the proxy tool. And for subsequent scan request, it will make use of the latest cookie.
- So during BURP testing, multiple people can login to the app (ALL USING ADMIN CREDS), with the proxy set, browse the app to create the site map at their own pace. After a while, when you want to trigger the scan, make sure you login to the application with the proxy set and then trigger the scan immediately before that session expires. Note: if some sub domain of the application needs separate authentication and sets additional cookies, prior to triggering the scan, you should browse those locations of the app and complete those authentications as well
- At any time, you can click on the “open cookie jar” button on the above screenshot to see the cookie being used for your target domain at that instance
