Burp Suite: Modify Cookie Values

TL;DR

This guide shows you how to change cookie values in Burp Suite to test application behaviour with different data.

Changing Cookie Values in Burp Suite

1. Intercept the Request: First, make sure you’re intercepting traffic. Go to Proxy > Options and ensure Intercept is turned on (the ‘Intercept’ button should be highlighted). Browse to the page where the cookie you want to change is set.
2. Find the Cookie in the Repeater: Once the request containing the cookie hits Burp, send it to Repeater. Right-click the request in Proxy History and select “Send to Repeater”.
3. Locate the Cookie Header: In Repeater, find the Cookie header within the request details. It will look something like this:

   Cookie: sessionid=abcdefg12345; othercookie=value

4. Edit the Cookie Value: Double-click on the value of the cookie you want to modify directly in Repeater’s request pane. Change it to your desired new value.

   For example, change sessionid=abcdefg12345 to sessionid=xyz987654321.

5. Forward the Modified Request: Click “Go” (or press Ctrl+R) in Repeater to send the modified request to the server.
6. Observe the Response: Check the response from the server. Look for any changes in behaviour, error messages, or different content that indicate your cookie modification had an effect.
7. Repeat as Needed: Repeat steps 4 and 5 with different cookie values to thoroughly test the application’s security and functionality.

Advanced Tips

• Multiple Cookies: You can modify multiple cookies in a single request within Repeater. Just edit each value as needed.
• Encoding Issues: If you encounter problems, ensure your new cookie values are properly URL-encoded if they contain special characters (spaces, etc.). Burp Suite usually handles this automatically, but it’s worth checking.
• Scope Considerations: Be aware of the scope of the cookie. Some cookies are only valid for specific paths or domains. Ensure your modifications align with the intended scope.