The "Use Burp Cookie Jar" option is not working

[cybernot]

I'm testing burp-csj for the first time and I want to access one url behind a login form. However, burp-csj is not sending any cookies (I can see the cookie in the cookie jar and I can see Burp scanner sending them). I recorded the transaction with Fiddler and I can see a couple of requests (then crawlJax stop) and no request have the cookie. What could cause that ?

I have Burp Suite Pro 1.5.16.

[malerisch]

Hi,

What browser did you set to crawl with Crawljax? Also, pls check under Alerts what is the reason when crawljax stops. Is the web site over http or https?

Normally, what happens is that the browser will do a request without cookie - this is because selenium driver cannot set cookies for arbitrary domains. So the browser will "get" the domain first, and then in the second request should set the cookies which are in the burp cookie jar. This means u should see the first request as "not authenticated" and then it should be "authenticated".

[cybernot]

Hi,

Here are the answers to your questions :

-I'm using Firefox (22.0). -Under Alert : "Reason:Exausted" -The site is https.

The problem here is that the first request (to domain A) redirect the browser to another domain (domain B) since the authentication is not done on A but on B. After that first redirect, I can see the browser exploring domain B and never returning to the original domain A.

On Wed, Sep 11, 2013 at 3:18 PM, Roberto Suggi Liverani < notifications@github.com> wrote:

Hi,

What browser did you set to crawl with Crawljax? Also, pls check under Alerts what is the reason when crawljax stops. Is the web site over http or https?

Normally, what happens is that the browser will do a request without cookie - this is because selenium driver cannot set cookies for arbitrary domains. So the browser will "get" the domain first, and then in the second request should set the cookies which are in the burp cookie jar. This means u should see the first request as "not authenticated" and then it should be "authenticated".

— Reply to this email directly or view it on GitHubhttps://github.com/malerisch/burp-csj/issues/1#issuecomment-24268219 .

[malerisch]

Ok, from what you say it seems that crawljax is started against domain A and then stops after following redirection to domain B. This might be due to this new update: https://github.com/crawljax/crawljax/issues/328 even though I'm not sure 100%.

Try this: start crawljax directly against domain B having the right cookie / session tokens in the Burp cookie jar and see how it goes. If it still stops, you might consider playing a bit with the crawling options and see if it makes a difference.

[cybernot]

I will try it, but I'm not sure you understood that I don't care about crawling B, I want to crawl A only

On Wed, Sep 11, 2013 at 4:17 PM, Roberto Suggi Liverani < notifications@github.com> wrote:

Ok, from what you say it seems that crawljax is started against domain A and then stops after following redirection to domain B. This might be due to this new update: crawljax/crawljax#328https://github.com/crawljax/crawljax/issues/328even though I'm not sure 100%.

Try this: start crawljax directly against domain B having the right cookie / session tokens in the Burp cookie jar and see how it goes. If it still stops, you might consider playing a bit with the crawling options and see if it makes a difference.

— Reply to this email directly or view it on GitHubhttps://github.com/malerisch/burp-csj/issues/1#issuecomment-24272648 .

[malerisch]

hey, ok got u - so did u start crawljax against domain A or B?

if u start crawljax against domain X -> it would only crawl domain X - if there are links to domain Y or redirection to other domains (external URLs), then it should not go there ( see that link https://github.com/crawljax/crawljax/issues/328 ).

Also, if cookies are set in domain B and crawljax has been started in domain A then cookies of domain B would not be set in domain A, because of Selenium WebDriver limitation - see: http://docs.seleniumhq.org/docs/03_webdriver.jsp#cookies

One thing you can also do is start Burp pro via command line java -jar burppro... and paste the stdout debug output of burpcsj. If something goes wrong, the stack trace will be printed out there.

Hope this helps.

[cybernot]

I started against A but it went to B following a redirection. As soon as I have a minute I`ll output debug info.

Thanks for the quick help by the way

On Thu, Sep 12, 2013 at 4:05 AM, Roberto Suggi Liverani < notifications@github.com> wrote:

hey, ok got u - so did u start crawljax against domain A or B?

if u start crawljax against domain X -> it would only crawl domain X - if there are links to domain Y or redirection to other domains (external URLs), then it should not go there ( see that link crawljax/crawljax#328https://github.com/crawljax/crawljax/issues/328).

Also, if cookies are set in domain B and crawljax has been started in domain A then cookies of domain B would not be set in domain A, because of Selenium WebDriver limitation - see: http://docs.seleniumhq.org/docs/03_webdriver.jsp#cookies

One thing you can also do is start Burp pro via command line java -jar burppro... and paste the stdout debug output of burpcsj. If something goes wrong, the stack trace will be printed out there.

Hope this helps.

— Reply to this email directly or view it on GitHubhttps://github.com/malerisch/burp-csj/issues/1#issuecomment-24301335 .

[glen999]

Hi

I am having this very same issue.

When there is no session cookie presented in a request to the web application server (A) it immediately redirects the browser to the SSO server (B), which presents a login page. Once logged in then the browser is given a webSSO token and presents it to the web application server(A) in order to receive the session cookie.

Is it possible to force crawljax to use the cookies for the target domain for the first request?

[malerisch]

Hi, A new version of BurpCSJ has just been released: http://bit.ly/burpcsj0-2

This includes a new version of Selenium and Crawljax and a fix for the cookie issue.

I also wrote a tutorial for BurpCSJ and authentication, which you might find helpful: http://blog.malerisch.net/2014/08/burpcsj-dealing-with-authentication.html

Please let me know if you still have issues with this latest release of BurpCSJ.