I have been running scans on a few web applications that require a typical usern

Question

I have been running scans on a few web applications that require a typical username and password to gain access to the website. I usually remain logged in through the browser my proxy is running through until the spidering of the website completes but I was curious if that was necessary once I start actively scanning hosts with Burp's scanner. It appears that the cookie, session id, etc. is already included in the request the scanner uses but is there any reason that I would need to ensure that the browser the proxy is running through is still logged into the site while the scanner is running? Taking this one step further, is it required that I remain logged in during spidering or does burp save the cookie after I first authenticate?

Explanation / Answer

Burp has some relatively complex options available for session handling but in the basic case, the scanner will use sessions from burps "cookie jar", so as long as it knows about a valid session ID it'll use it.

If you invalidate your sessions while the scanner is running (for example by using logout functionality) then the scanner will likely stop working well on authenticated areas of the site (of course assuming here the logout actually invalidates the session on the server-side).

However if you just go to a different site without actively logging out then burp can continue to use the session tokens you had, for as long as they stay valid.

On some sites with aggressive timeouts, this can be a problem but you can use Burps Macro facilities to detect this kind of issue and re-login automatically.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.