- Navigate to the Login page in Mutillidae. Log into the application as username ed with password pentest.
- Immediately log out of the application by clicking the Logout button and make sure the application confirms you are logged out.
- Switch to the Burp Proxy HTTP history tab. Look for the logout request you just made along with the subsequent, unauthenticated GET request. Select the unauthenticated request, which is the second GET. Right-click and send that request to Repeater, as follows:
- Switch to Burp Repeater, then click the Go button. On the Render tab of the response, ensure you receive the Not Logged In message. We will use this scenario to build a session-handling rule to address the unauthenticated session and make it an authenticated one, as follows:
- Switch to the Burp Project options tab, then the Sessions tab, and click the Add button under the Session Handling Rules section, as follows:
- After clicking the Add button, a pop-up box appears. Give your new rule a name, such as LogInSessionRule, and, under Rule Actions, select Run a macro, as follows:
- Another pop-up box appears, which is the Session handling action editor. In the first section, under Select macro, click the Add button, as follows:
- After clicking the Add button, the macro editor appears along with another pop-up of the Macro Recorder, as follows:
Note: A bug exists in 1.7.35 that disables Macro Recorder. Therefore, after clicking the Add button, if the recorder does not appear, upgrade the Burp version to 1.7.36 or higher.
- Inside the Macro Recorder, look for the POST request where you logged in as Ed as well as the following GET request. Highlight both of those requests within the Macro Recorder window and click OK, as follows:
- Those two highlighted requests in the previous dialog box now appear inside the Macro Editor window. Give the macro a description, such as LogInMacro, as follows:
- Click the Configure item button to validate that the username and password values are correct. Click OK when done, as follows:
- Click OK to close the Macro Editor. You should see the newly-created macro in the Session handling action editor. Click OK to close this dialog window, as follows:
- After closing the Session handling action editor, you are returned to the Session handling rule editor where you now see the Rule Actions section populated with the name of your macro. Click the Scope tab of this window to define which tool will use this rule:
- On the Scope tab of the Session handling rule editor, uncheck the other boxes, leaving only the Repeater checked. Under URL Scope, click the Include all URLs radio button. Click OK to close this editor, as follows:
- You should now see the new session-handling rule listed in the Session Handling Rules window, as follows:
- Return to the Repeater tab where you, previously, were not logged in to the application. Click the Go button to reveal that you are now logged in as Ed! This means your session-handling rule and associated macro worked:
