Test Session Timeout with Burp Suite

2019, Mar 21

Session timeout is caused by user inactivity and is associated with some vulnerabilities, and/or user experience problems.

Some interesting readings about Session Management:

You can test the timeout of a session by sending requests every couple of minutes and analyzing the response.

In order to do this, I use Burp Suite Community Edition and Session Timeout Test extension.

Install Burp Suite Community Edition

Burp Suite is a great tool for pentesting web applications, created by PortSwigger.

Notice that the Intercept is On, so you may want to untick that until you complete the setup. Intercept is on

Set Burp proxy in your browser

Choose a browser (I use Firefox for this), and set up a proxy to 127.0.0.1:8080 (Burp Suite, default).

In Firefox, you can set it by typing about:preferences#general in URL bar, and then going to Network Settings.

Or you can use an extension for this. I recommend FoxyProxy (Firefox or Chrome). By using it, you can easily switch between browser proxies. FoxyProxy will look like this (after you configure the Burp proxy):

FoxyProxy demo

Install Burp's CA certificate in your browser

Burp Proxy is a traffic interceptor and acts like a proxy (of course). So every request goes through that proxy (In our case, Burp Proxy). If you are using it with HTTPS sites, you need to add the Burp's CA certificate in your browser, as a trusted root certificate. There is support to install the CA certificate for the most common browsers.

Make sure browser proxy is set to Burp Proxy. Before setup the CA certificate, test the connection to https://www.google.com. You should see Secure Connection Failed.

Now continue with Installing Burp's CA Certificate in your browser

If all goes well, you can access HTTPS web pages without any trouble.

Install Session Timeout Test extension

  • Open Extender - BApp Store - Search for Session Timeout Test, and Installing

BApp Store

  • If you want to see if you have this app installed, go to Proxy - HTTP History, and right click on any request. You should see "Test for Session Timeout"

Session test timeout dropdown

If you don't have any requests in the HTTP history, enable Intercept (Proxy tab - Intercept) and navigate a little bit.

Burp Suite Features

You already noticed the Burp Proxy. Every request going through it can be easily "changed".

I want to add that Burp Suite has lot of nice features to play with.

  • Repeater: If you take a request from HTTP history (or live, by intercepting it), and sending it to the Repeater, you can easily change some things (e.g. Headers, Cookies) and "repeat the request"
  • Intruder: I use this to brute force endpoints. It's very nice to customize the payloads. Although it's pretty limited in Community Edition.
  • Many other things, so worth playing with it

Test Session Timeout (finally)

Oh, the reason we are here.

What this extension does:

This extension attempts to determine how long it takes for a session to timeout at the server. It issues the same request multiple times with increasing delays until a configured string appears in the response.

To test the session timeout, you need to know how the application behaves when it invalidates the session.

Some hints:

  • Open your web application in browser.
  • Log in (create an account and log in)
  • Go to /my-account or /profile (make sure these requests are going through the Burp Proxy, no intercept necessary)
  • Find /my-account request in HTTP history and send it to the Repeater (Right Click - Send to Repeater)
  • Go to Repeater and "Send". Read the response (make sure it says you are logged in)

Now you can wait to invalidate your session and send again the same request with the Repeater, to see what happens (what's the response)

In my case, I found that the /my-account endpoint returns a 302. That was caused by a redirect to the /login page.

So if that is your case, get the /my-account request, right click on it, and click "Session Timeout Test". Configure with your information: Session Timeout Configuration

and start

Session Timeout Running

This process will be done when the response contains 302 Found, or when Maximum Session Duration is reached.

It will return "No timeout detected" or "Session timeout detected: 3 minutes", for example.

During this process, do not send any requests to the application (to have accurate results).

If you already know the session timeout and you just want to verify it, you can change these configuration (a bigger "Interval") to not wait that much.