4 min read

This is a step by step guide on how to make a simple login macro for Portswigger's Burp Suite. In the demo I will use a real world application (Wordpress v3.8.1) to demonstrate how to do this.

First step is to setup your proxy and login to the application.

After logging into the application go to the Options tab and click on Sessions. At the bottom of the page you will see Macros.

Click Add. Next we will see the Macro Recorder. Create a name for the macro, I chose "Login". Choose the POST where you logged in during hte first step.

As you can see in the POST, I chose a super secure password for my admin account (Don't ever do that.). Select the login POST and click OK. Next we will choose Configure item.

In some cases, you may want it to ignore any cookies that were submitted before, so as to not interfere with the login process. Here I will uncheck the option "Use cookies from the session handling cookie jar in requests." Click OK.

Next we will test our new login macro to ensure that it gets a 302 Response and that the cookies are being set properly. So click Test Macro in the Macro Editor.

Check to make sure you got the expected Status Code in this case a 302, and check the Response tab to ensure we have our cookies set.

Click OK. To go back to the Macro Editor. Now you should see a macro displayed in the Macros box.

Next we need to determine how the application responds when we request a page that requires authentication.

In Wordpress if you go to /wp-admin/ the application will require you to be authenticated or it will redirect you back to the wp-login.php page. To test we will remove all of our authenticated cookies and intercept the request for /wp-admin/ and observe what happens.

As you can see in the screenshot above, I was given a status code of 302 and was redirected back to wp-login.php This will help us set up the validation check in the next step.

Go back to Options --> Sessions and click Edit on the Enabled option "Use cookies from the session handling cookie jar".

In Rule Actions click add "Check session is valid" To check if our session is valid we want to choose "URL of redirection target" since we got a 302 before and we want to look for the expression "wp-login.php" it is ok to just leave the default here as "login". The next part is what does this match indicate? In our demo application this indicates that the session is invalid if we get a 302 response and it redirects us to "wp-login.php",so choose "Match indicates: Invalid session". Next check the box "If session is invalid, perform the action below", and select your macro from the list. Click OK to go back to the Session handling rule editor.

Next we want to test our macro, so to do that we will modify the scope of the session handling rules. Check Proxy just for the test. Click Ok.

Next clear the cookies in the cookie jar, click the button Open cookie jar and empty cookie jar. Clear the cookies from your browser.

Last we will test by going directly to the authenticated section of the site "/wp-admin/" if the macro works we should get a 200 Status code and the page should come up.

In the screenshot, you can see it did come up and we did get a 200 Status code as expected so the macro is working. Now you can go back and define the scope of your macro in the Session handling rules under the sessions tab. If you are using the Pro version and using active scan you would want to check the Scanner box and if you also use some of the new plugins, (such as Active Scan++) Extender might need to be checked as well.

I hope this helped. This method does not cover every type of authentication scenario. In multi-step authentication scenarios you would need to modify some of the steps in order to get the macro to work properly.

Charlie Campbell

Read more posts by this author.