the-web-application-hackers-handbook

608 Chapter 14 n Automating Customized Attacks
By creating multiple rules with different scopes and actions, you can define
a hierarchy of behavior that Burp will apply to different URLs and parameters.
For example, suppose you are testing an application that frequently terminates
your session in response to unexpected requests and also makes liberal use of
an anti-CSRF token called __csrftoken. In this situation you could define the
following rules, as shown in Figure 14-15:
n For all requests, add cookies from Burp’s cookie jar.
n For requests to the application’s domain, validate that the current session
with the application is still active. If it isn’t, run a macro to log back in to
the application, and update the cookie jar with the resulting session token.
n For requests to the application containing the __csrftoken parameter,
first run a macro to obtain a valid __csrftoken value, and use this when
making the request.
Figure 14-15: A set of session-handling rules to handle session termination and
anti-CSRF tokens used by an application