Extension Example 2: Custom Session Tokens

We will learn how Burp suite extender APIs can be used to create plugins to modify session-related information.

This lesson comes with a demo server to test the developed plugin. The application server code can be found here. Just run this server as node server.js. This will spin up the server at port 8000.

If we carefully observe the server.js file, we will notice that session information is stored in the SESSION_ID_KEY variable, which points to X-Custom-Session-Id.

const http = require('http');

const PORT = 8000;

const SESSION_ID_KEY = 'X-Custom-Session-Id'

In this exercise, our task is to record the session variable in one of Burp’s macros and then transfer it along with all the subsequent requests.

Create a macro

A macro in Burp Suite is a series of HTTP requests sent to the server before requests have been proxied by Burp. Once the macro requests have been carried out, the parameters taken from the response of the final request can be passed on to the request that called the macro originally.

Get hands-on with 1200+ tech skills courses.