the-web-application-hackers-handbook

604 Chapter 14 n Automating Customized Attacks
Figure 14-10: The Burp Suite cookie jar
In itself, the cookie jar does not actually do anything, but the key values it tracks
can be used within the other components of Burp’s session-handling support.
Request Macros
A macro is a predefined sequence of one or more requests. Macros can be used
to perform various session-related tasks, including the following:
n Fetching a page of the application (such as the user’s home page) to check
that the current session is still valid
n Performing a login to obtain a new valid session
n Obtaining a token or nonce to use as a parameter in another request
n When scanning or fuzzing a request in a multistep process, performing
the necessary preceding requests to get the application into a state where
the targeted request will be accepted
Macros are recorded using your browser. When defining a macro, Burp displays
a view of the Proxy history, from which you can select the requests to be
used for the macro. You can select from previously made requests, or record the
macro afresh and select the new items from the history, as shown in Figure 14-11.
For each item in the macro, the following settings can be configured, as shown
in Figure 14-12:
n Whether cookies from the cookie jar should be added to the request
n Whether cookies received in the response should be added to the cookie jar
n For each parameter in the request, whether it should use a preset value
or a value derived from a previous response in the macro