We often face the situation when multiple testers are supposed to test the same application in BURP (single installation) and we are unsure of how the session cookies will behave. Which tester's cookie will the BURP tool use for subsequent requests made to the server? After creating the site-map, the testers might not initiate the scan immediately. So what happens when all the session being used for creating the sitemap expires?
Test creds to use
First of all, BURP is not capable of finding issues related to privilege escalation, so all the testers should be using the only the admin credentials for testing to achieve maximum application coverage.
Setting the shared environment
Second, to set up shared BURP environment, do the following settings –
The IP should be the IP of the machine where BURP is installed.
Dealing with session cookies
Finally, for tackling the session issues -
- There is a cookie jar plugin in BURP that internally tracks all the cookies being used for an application, captures the latest cookie being used for that application and while active scans use the latest cookie captured by the proxy. For configuring the cookie jar: it is enabled by default but to double check please make sure the following boxes are checked –
- When these configurations are in place, BURP will automatically record the latest cookie for the target domain as captured in the proxy tool. And for subsequent scan request, it will make use of the latest cookie.
- So during BURP testing, multiple people can login to the app (ALL USING ADMIN CREDS), with the proxy set, browse the app to create the site map at their own pace. After a while, when you want to trigger the scan, make sure you login to the application with the proxy set and then trigger the scan immediately before that session expires. Note: if some sub domain of the application needs separate authentication and sets additional cookies, prior to triggering the scan, you should browse those locations of the app and complete those authentications as well
- At any time, you can click on the “open cookie jar” button on the above screenshot to see the cookie being used for your target domain at that instance