burp-session-fuzzer
Burp Session Fuzzer burp-session-fuzzer is the Burp extension that automates session fixation tests by manipulating cookies and tokens across requests, detecting reuse or weak regeneration in auth flows. Install via BApp Store, select scopes, and run fuzz sessions for response diffs on session IDs. Open-source from PortSwigger, it's the session shaker for pentesters probing fixation flaws inline.
Explore →session-hijacker
Session Hijacker session-hijacker is the Python script for testing session cookie security, swapping JSESSIONID or PHPSESSID to check for hijackability and logout enforcement in web apps. Run on proxies or direct endpoints, logging valid hijacks for reports. Open-source from community, it's the cookie crook for auditors templating hijacking simulations.
Explore →token-fuzzer
Token Fuzzer token-fuzzer mutates session tokens like CSRF or auth bearers with bit flips and increments, validating regeneration and expiry handling in API responses. Configure via CLI with wordlists, running against sessions for anomaly detection. Open-source from frikilnik, it's the token tamperer for API pentesters fuzzing state management weaknesses.
Explore →session-management-tester
Session Management Tester session-management-tester is the framework for OWASP session checks, automating fixation, timeout, and logout tests with custom payloads for comprehensive auth audits. Define scenarios in YAML, execute via Python for pass/fail verdicts with traces. Open-source from OWASP, it's the session sentinel for web security pros templating management validations.
Explore →cookie-fuzz
Cookie Fuzz cookie-fuzz is the Burp extension for fuzzing cookie values and attributes, testing for fixation or poisoning with response analysis for session leaks. Load in Burp, select cookies, and mutate with dicts for flagged anomalies. Open-source from PortSwigger, it's the cookie chaos for pentesters stressing session integrity.
Explore →auth-session-checker
Auth Session Checker auth-session-checker validates session lifecycle with automated login/logout cycles, detecting persistent sessions or weak invalidation in stateful apps. Script tests in Python, running against endpoints for timeout reports. Open-source from security-research, it's the lifecycle logger for analysts verifying session hygiene.
Explore →csrf-token-tester
CSRF Token Tester csrf-token-tester probes for predictable or missing tokens in forms, fuzzing anti-CSRF params to validate uniqueness and enforcement in session flows. Run via CLI on sites, simulating cross-site requests for bypass checks. Open-source from community, it's the token tester for web pentesters templating CSRF defenses.
Explore →session-timeout-fuzzer
Session Timeout Fuzzer session-timeout-fuzzer simulates idle sessions with timed requests, measuring expiry and renewal to detect infinite or lax timeouts in auth configs. Configure intervals via script, logging renewal failures for reports. Open-source from frikilnik, it's the idle inspector for pentesters auditing session persistence.
Explore →logout-verifier
Logout Verifier logout-verifier tests post-logout access with replayed tokens, checking for proper invalidation and redirect enforcement in session termination flows. Run Python CLI on endpoints for verification traces. Open-source from OWASP, it's the exit examiner for security teams ensuring clean session closures.
Explore →session-fixation-tester