My Profile Photo

Ionut Gavrilut

DevOps Enthusiast | Linux System Administrator | Certified Jenkins Engineer

Test Session Timeout with Burp Suite (with Example)

Test Session Timeout with Burp Suite (with Example)

First of all you need to get familiar with Burp Proxy (and with Burp Repeater to test the behaviour manually); Burp Suite Community Edition should be enough.

  • Set up the proxy in browser to point to your Burp Suite Burp Suite is listening on by default, so you need to set up these proxy properties (IP and port) in your favourite browser.
  • Check the application behaviour Navigate into your website and see what is happening when you lose the session. In some cases, when you access a kind of /account URL, if your session is expired, this request should response with a 302 redirect to /login. (This is just an example, you need to make it works in your case). When you have this winner request and you know how it behaves, you can set up your Session Timeout Test.

  • Right click on this request and select “Test for Session Timeout” You need to complete 4 fields: Example of using:
    String to match: 302 Found
    Minimum Session Duration: 1
    Maximum Session Duration: 35
    Interval: 1

Result: Session timeout detected: 3 minutes

If you know the session timeout/stickiness and you just want to verify the timeout, you can change these properties to other values to not wait that much.