Test Session Timeout with Burp Suite (with Example)
First of all you need to get familiar with Burp Proxy (and with Burp Repeater to test the behaviour manually); Burp Suite Community Edition should be enough.
- Set up the proxy in browser to point to your Burp Suite Burp Suite is listening on 127.0.0.1:8080 by default, so you need to set up these proxy properties (IP and port) in your favourite browser.
Check the application behaviour Navigate into your website and see what is happening when you lose the session. In some cases, when you access a kind of /account URL, if your session is expired, this request should response with a 302 redirect to /login. (This is just an example, you need to make it works in your case). When you have this winner request and you know how it behaves, you can set up your Session Timeout Test.
- Right click on this request and select “Test for Session Timeout”
You need to complete 4 fields:
Example of using:
String to match: 302 Found Minimum Session Duration: 1 Maximum Session Duration: 35 Interval: 1
Result: Session timeout detected: 3 minutes
If you know the session timeout/stickiness and you just want to verify the timeout, you can change these properties to other values to not wait that much.