Session Switcher is a Burp Suite extension that allows you to easily save and switch the "session" (cookies and headers) of an HTTP request to a different one on the fly, tailored specifically for manual authorization testing.
The typical use case for Session Switcher is to replace cookies and headers in a request, such in the Repeater or in the Proxy, with only a couple of clicks; the goal is to quickly check for vulnerabilities such as horizontal and vertical authorization issues and IDORs.
The first step to use the extension is to save some sessions. The primary way to do so is to select the request with the Cookies/Headers you want to save and click the New button in the Sessions tab of the Request Editor; the extension will automatically copy all cookies and (uncommon) headers from the request.
You can also manually create a Session using the New button in the extension's main tab, but it's far easier to start from an existing request.
Once you have at least one saved Session, you can use the session selector in the Session tab of the Request Editor to swap the session of any (editable) request, such as in the Repeater or in an intercepted request in the Proxy.
When you choose a Session from the list, the extension will swap the request's Cookies and Headers with the ones saved in the chosen Session. The buttons just under it will allow you to easily Edit or Delete the existing session, Update it from the current request (i.e. save the request's Cookies/Headers in the selected Session), or create a new one with the New button.
By default, the switcher only lists the sessions for the current request's domain. You can change this behavior in the settings.
The main Sessions tab lists all the sessions stored in the project file and allows you to manage them. From there, you can check and edit the contents of all the saved sessions.
With Auto Updates, you can set some rules that will track browser requests going through the Proxy to automatically keep Sessions up to date.
For example, you could create a rule that tracks all the requests containing the X-User: alice header and automatically updates the alice session whenever new Cookies/Headers are detected. This way you don't have to manually update the Sessions whenever a JWT expires or you log back into an app after a logout.
Of course more complex conditions are available, make sure to check out the documentation for more details.
In the extension settings you can set some options, such as how the extension behaves in some situations, such as when updating or swapping sessions. Read more about the available settings in docs/settings.md.
You can simply download the latest .jar file release and import it in Burp.
This extension needs at least Burp v2025.5. It will not work on older versions.
- Install Java 21+. For example, in Debian-based distros:
$ sudo apt install -y openjdk-21-jdk
$ java --version
openjdk 21.0.9 2025-10-21- Clone the repo
$ git clone https://github.com/doyensec/burp-session-switcher
$ cd burp-session-switcher- Build Session Switcher using Gradle
$ ./gradlew buildLoad the file SessionSwitcher.jar into Burp as a Java extension.
The Session Switcher Burp Extension thrives on community contributions. Whether you're a developer, researcher, designer, or bug hunter, your expertise is invaluable to us. We welcome bug reports, feedback, and pull requests. Your participation helps us continue to improve the extension, making it a stronger tool for the community.
Communication is best handled through the GitHub issue tracker, but you can also reach us on social media (@Doyensec). We look forward to hearing from you!
- Author: Savio Sisco @lokiuox (Github)
This project was made with the support of Doyensec.
