Automating Burp Suite -2 | Automated Authenticated Login and Scanning via Macro

In the part-2 of Automating Burp Suite, we are automating login and performing authenticated scanning using Burp Suite Macro.

While performing penetration testing or during authenticated scan for compliance for any kind of testing of web applications, this authenticated session handling is required. While running scan, Burp Suite crawler by default performs unauthenticated scans. To produce more effective results especially when running Burp’s Spider or Scanner against an application, burp’s session handling functionality helps to continue manual and automated testing while Burp authenticates in the background.

This tutorial demonstrates how to Burp’s session handling rules to ensure authenticated scan when using Burp Spider.

How To Do It:

A) Auto Login Macro:

  1. Visit (test application for authenticated scan)
Vulnerable demo application

2. Then select the request from the proxy history and switch to Project options tab.

Login request for authentication

3. Click on Sessions for session handling rules. Click on Add and enter the Rule Description and for Rule Actions select Run a macro .

Session handling rule

4. Macro Recorder pops up, then select the doLogin request, validate the username and password in the POST request body. Click OK.

Macro recorder

5. In the Macro Builder change the Macro Description .

Macro editor

6. Click on ok and check the selected (newly created Macro), here it is Testfire-Login . Click OK.

Session handling actions

7. In the Session handling rule editor , Change the tab to Scope and in the Tools Scope , select the scopes accordingly. Then also change the URL Scope . Click OK.

Scope

The Login Macro is complete, now application can automatically login without human intervention. Let’s add session validation in case application log out or manually cookies are deleted.

Session Validation will validate the session and re-login to the application so that application continuous to perform authenticated scanning.

B) Session Validation Macro

  1. Select the valid URL (any url which appears after user log in with valid credentials). Then log out of the application and send the request to check how application responds when session is log out.

Here we can see the header in the response, Location: /login.jsp. This login.jsp will be used while creating Macro to validate session from invalid session.

Validating Session

2. Switch to Project Optionsand click on ADD . Then in Session handling rule editor . Add the Rule Description : TestFire-SessionValidate.
Then in the Rule Actions , select Run a macro .

Session handling rule

3. Select a valid request which shows 200 OK response only when authenticated user visits it else it redirects to login.jsp . Here we are selecting .

This will help to validate the request. We will check if the response header contains string login.jsp then the session is invalid. If the session is invalid then re-run the Login action Macro, to re-login. Hence it will perform authentication in case the session is unauthenticated.

Valid and authenticated request

4. After clicking OK, in the Macro Editor add the Macro Description : Testfire-SessionValidation. Then click OK.

Macro editor

5. The 4th step will validate the session. Let’s add another Rule Actions , Check session is valid .

Session handling rule editor

6. In the Session handling action editor , Click on Run macro . Thenfor Location: select URL of redirect target .
In the Look for expression fill login.jsp, leave the rest. For Match indicates select invalid session .
For Define behavior dependent on session validity:check both if session is valid, don't process any further rules or actions for this request and If sessions is invalid, perform the action below:
Select Run a macro and select login Macro: Testfire-Login . Click OK.

Session handling action editor

7. On visiting , it was found that the application was not redirecting to login.jsp hence this use-case will be invalid as we have not written any session validation rule which validates for this case.

On visiting index.jsp application sends Sign In in the response body. Hence we need to validate this invalid session. For that we will create another action to check if the request with response body having string Sign In is present that means session is invalid hence re-run the login Macro.

Another invalid session from proxy history

8. In the Rule Actions , click on ADD and again select check session is valid .
Fill the details as above till the Location(s): part, then we will select Response Body and for Look for expression: Sign In.
For Define behavior dependent on session validity:check both if session is valid, don't process any further rules or actions for this request and If sessions is invalid, perform the action below:
Select Run a macro and select login Macro: Testfire-Login . Click OK.

Session handling

9. Check the Rule Actions , it consist :

a) run macro: Testfire-SessionValidation.
b) Check session is valid.
c) Check session is valid.
Click OK.

Session handling with multiple rules

10. Then for the Scope, click on the Session handling rule editor , Change the tab to Scope and in the Tools Scope , select the scopes accordingly. Then also change the URL Scope . Click OK.

Scope

11. Let’s turn on the TestFire-SessionValidate Session Handling Rule.

Validation

12. Send the index.jsp request and check the response. Click on render to view the page. The application performs auto-login.

Auto Login

13. Disable the TestFire-SessionValidate Session Handling Rule. Application shows response body with Sign In .

User not logged in, showing Sign In

14. Currently both are disabled but now enable both TestFire-Autologin and Testfire-SessionValidate .

Disable then enable both the macro(Only disabled shown)

15. Now resend the request and check the response tab, which renders Sign OFF. This proves that application is authenticated automatically.

Authenticated login

Now perform the crawling and audit from the Burp Suite by adding scope in the target.

How it Works:

Here, the first macro sign in the application using valid login request with credentials. This macro is used to sign in automatically.
The second part where session validation is performed is to validate if session is validate for specific endpoints and also in case of invalid sessions it re-runs the login Macro.

Reference:

will guide you through automating the login process with CSRF in the Login request for DVWA. .

Sr. Security Engineer | DevSecops | Cloud Security | Linux Administrator | Threat Hunter