After this lesson, you will be able to: Inspect and modify HTTP requests with BurpSuite, and identify common cookie and session security issues.
Sessions are how a website 'remembers' you across requests. Almost every account-takeover bug begins with a session weakness. BurpSuite is the universal tool for inspecting and editing HTTP traffic, every web pen tester uses it.
When you log in, the server creates a session and gives you a session ID, usually in a cookie. Every later request includes that cookie, and the server uses it to look up 'who is this and what can they do?'. If an attacker steals the session ID, they're you, no password needed.
HttpOnly. JavaScript can't read it (prevents XSS-based theft). Secure, only sent over HTTPS (prevents network sniffing). SameSite=Lax/Strict, cookie isn't sent on cross-site requests (prevents CSRF). Domain and Path, limit cookie scope. Missing any of these on a session cookie is a vulnerability.
BurpSuite is free for non-commercial use. Set up the proxy to view traffic.
Download BurpSuite Community Edition
Launch and start the embedded browser
Navigate to a site you have permission to test (TryHackMe target, your own dev app)
Go to the Proxy tab → HTTP history
Find a request with a session cookie
Forward to Repeater and modify the cookie to see how the server reacts
Predictable session IDs (sequential numbers, try the next one). Session fixation (attacker sets the victim's session ID before they log in). Missing logout invalidation (server doesn't actually delete the session). Long-lived tokens with no rotation (one stolen cookie = forever-access). All of these have caused real account-takeover incidents.
Pick the cleanest answer.
Sign in and purchase access to unlock this lesson.