Automating Burp Suite -2 | Automated Authenticated Login and Scanning via Macro
In the part-2 of Automating Burp Suite, we are automating login and performing authenticated scanning using Burp Suite Macro.
While performing penetration testing or during authenticated scan for compliance for any kind of testing of web applications, this authenticated session handling is required. While running scan, Burp Suite crawler by default performs unauthenticated scans. To produce more effective results especially when running Burp’s Spider or Scanner against an application, burp’s session handling functionality helps to continue manual and automated testing while Burp authenticates in the background.
This tutorial demonstrates how to Burp’s session handling rules to ensure authenticated scan when using Burp Spider.
How To Do It:
A) Auto Login Macro:
- Visit https://demo.testfire.net/ (test application for authenticated scan)
2. Then select the doLogin request from the proxy history and switch to Project options tab.
3. Click on Sessions for session handling rules. Click on Add and enter the Rule Description and for Rule Actions select Run a macro .
4. Macro Recorder pops up, then select the doLogin request, validate the username and password in the POST request body. Click OK.
5. In the Macro Builder change the Macro Description .
6. Click on ok and check the selected (newly created Macro), here it is Testfire-Login . Click OK.
7. In the Session handling rule editor , Change the tab to Scope and in the Tools Scope , select the scopes accordingly. Then also change the URL Scope . Click OK.
The Login Macro is complete, now application can automatically login without human intervention. Let’s add session validation in case application log out or manually cookies are deleted.
Session Validation will validate the session and re-login to the application so that application continuous to perform authenticated scanning.
B) Session Validation Macro
- Select the valid URL (any url which appears after user log in with valid credentials). Then log out of the application and send the request to check how application responds when session is log out.
Here we can see the header in the response, Location: /login.jsp. This login.jsp will be used while creating Macro to validate session from invalid session.
2. Switch to Project Optionsand click on ADD . Then in Session handling rule editor . Add the Rule Description : TestFire-SessionValidate.
Then in the Rule Actions , select Run a macro .
3. Select a valid request which shows 200 OK response only when authenticated user visits it else it redirects to login.jsp . Here we are selecting /bank/showAccount?listAccounts=800000 .
This will help to validate the request. We will check if the response header contains string login.jsp then the session is invalid. If the session is invalid then re-run the Login action Macro, to re-login. Hence it will perform authentication in case the session is unauthenticated.
4. After clicking OK, in the Macro Editor add the Macro Description : Testfire-SessionValidation. Then click OK.
5. The 4th step will validate the session. Let’s add another Rule Actions , Check session is valid .
6. In the Session handling action editor , Click on Run macro . Thenfor Location: select URL of redirect target .
In the Look for expression fill login.jsp, leave the rest. For Match indicates select invalid session .
For Define behavior dependent on session validity:check both if session is valid, don't process any further rules or actions for this request and If sessions is invalid, perform the action below:
Select Run a macro and select login Macro: Testfire-Login . Click OK.
7. On visiting https://demo.testfire.net/index.jsp , it was found that the application was not redirecting to login.jsp hence this use-case will be invalid as we have not written any session validation rule which validates for this case.
On visiting index.jsp application sends
Sign Inin the response body. Hence we need to validate this invalid session. For that we will create another action to check if the request with response body having stringSign Inis present that means session is invalid hence re-run the login Macro.
8. In the Rule Actions , click on ADD and again select check session is valid .
Fill the details as above till the Location(s): part, then we will select Response Body and for Look for expression: Sign In.
For Define behavior dependent on session validity:check both if session is valid, don't process any further rules or actions for this request and If sessions is invalid, perform the action below:
Select Run a macro and select login Macro: Testfire-Login . Click OK.
9. Check the Rule Actions , it consist :
a) run macro: Testfire-SessionValidation.
b) Check session is valid.
c) Check session is valid.
Click OK.
10. Then for the Scope, click on the Session handling rule editor , Change the tab to Scope and in the Tools Scope , select the scopes accordingly. Then also change the URL Scope . Click OK.
11. Let’s turn on the TestFire-SessionValidate Session Handling Rule.
12. Send the index.jsp request and check the response. Click on render to view the page. The application performs auto-login.
13. Disable the TestFire-SessionValidate Session Handling Rule. Application shows response body with Sign In .
14. Currently both are disabled but now enable both TestFire-Autologin and Testfire-SessionValidate .
15. Now resend the request and check the response tab, which renders Sign OFF. This proves that application is authenticated automatically.
Now perform the crawling and audit from the Burp Suite by adding scope in the target.
How it Works:
Here, the first macro sign in the application using valid login request with credentials. This macro is used to sign in automatically.
The second part where session validation is performed is to validate if session is validate for specific endpoints and also in case of invalid sessions it re-runs the login Macro.
Reference:
- https://portswigger.net/support/configuring-burp-suites-session-handling-rules
- https://www.youtube.com/watch?v=5v8bWAcA8oI
The next Burp Suite macro tutorial will guide you through automating the login process with CSRF in the Login request for DVWA. Also check out the previous article for capturing CSRF token via Macro.
