Determining the session timeout

When a user doesn't use an application for a certain amount of time, most applications will automatically log out the user and destroy their session.

To determine how long it takes for a session to timeout, you can use Burp Intruder to issue the same request multiple times with increasing delays. This enables you to test compliance with security standards that require applications to timeout within a specified period. A longer timeout gives an attacker more time to use or guess a session token.

Steps

You can follow along with the process below using ginandjuice.shop, our deliberately vulnerable demonstration site.

To determine the session timeout:

1. In Burp's browser, log in to your target website. If you're using ginandjuice.shop, the correct credentials are carlos:hunter2.
2. Go to Proxy > HTTP history. Identify a logged-in request and send it to Intruder.
3. Go to Intruder.
4. In the Payloads side panel, under Payload type, select Null payloads.
5. Under Payload configuration, select Continue indefinitely.
6. Click on the Resource pool tab to open the Resource pool side panel.
7. Select Create new resource pool.

8. In the resource pool settings, select Delay between requests, then Increase delay in increments of ___ milliseconds. Add a delay time.

   
9. Click Start attack. The attack starts running in a new dialog. Intruder repeatedly sends the requests, with an increasing delay between requests.
10. With the attack results dialog open, click Columns on the top-level menu and select Time of day. A Time of day column is added to the results table. Sort the results by this column.
11. Review the responses as the attack progresses. Identify the first request that indicates the session is invalid. For example, look for a redirection to a login page.
12. To determine the session timeout, identify the time difference between the logged-out request and the previous request.