Manually setting a cookie for Burp's Crawl and Audit

In some instances, usually involving authentication, it is necessary to manually set a cookie for use with Burp's automated tools. To do this, you'll need to create a session handling rule using the "Set a specific cookie or parameter value" function. This action updates the request and sets a specific value in a named parameter or cookie. If it is not already present, you can specify the type of parameter that should be added.

Using_ManualCookie_1

First, perform the login process and monitor the process in the HTTP history tab.

Using_ManualCookie_2

Go to Project options > Sessions and open the cookie jar.

Using_ManualCookie_3

Use the Edit cookie function to view the cookie name and value.

Leave this pop up window open to allow easy access to this information.

Using_ManualCookie_3

Use the Edit cookie function to view the cookie name and value.

Leave this pop up window open to allow easy access to this information.

Using_ManualCookie_4

Next, go to Project options > Sessions and use the Add function to create a new rule.

 

Using_ManualCookie_5

Rename the rule and set a rule action.

Click the "Set a specific cookie or parameter value" option.

Using_ManualCookie_6

This will open the "Session handling action editor".

Copy and paste the name and value of the cookie from the Cookie editor.

Optionally, you can use ensure the cookie is added if it is not already present.

Using_ManualCookie_7

Each rule comprises a scope (what the rule applies to).

The scope for each rule can be defined based on any or all of the following features of the request being processed; the Burp tool that is making the request, the URL of the request, the names of parameters within the request.

 

Using_ManualCookie_11

To test the rule functions correctly, you can send request that requires authentication to Burp Repeater.

 

 

Using_ManualCookie_8

In Repeater, remove the cookie and use the "Go" button to send the request to the server.

 

 

Using_ManualCookie_9

The rule will add the cookie to the request automatically.

 

 

Using_ManualCookie_10

Now, when you perform a scan, the cookie will be added to each request.

We've used the Logger++ extension to observe this behavior.