**Overview / goal**Show a repeatable sequence (proxy log + macro) that reproduces an auth-bypass so a developer can replay and fix it.**Steps to record & export**- Use Burp Proxy → intercept the user flow that triggers the bypass (login, token exchange, privileged request). Turn intercept off and perform the flow to capture full entries.- In Burp → Proxy → HTTP history, select the relevant requests/responses and right-click → Save selected items → choose XML/JSON (include full request/response).- Create a Burp Intruder/Repeater macro or Session Handling Rule that reproduces the exact sequence (login request, follow-up token, privileged request). In Project options → Sessions create a macro from recorded requests and test it until it reliably triggers the bypass.**Reproducible replay (developer handoff)**- Export a minimal replay artifact: ordered list of requests with method, URL, headers, body, and required cookies/tokens. Provide a curl sequence example developers can run:bash
# replace placeholders before running
curl -i -s -X POST 'https://app.example/login' \
-H 'Content-Type: application/json' \
-d '{"username":"test-user","password":"REDACTED_PW"}' -c cookies.txt
curl -i -s -X GET 'https://app.example/admin' \
-b cookies.txt -H 'Authorization: Bearer REPLACE_TOKEN'
**What to redact & how**- Replace live passwords, API keys, session tokens, and PII with placeholders (e.g., REDACTED_PW, REPLACE_TOKEN). Provide instructions to obtain or generate test credentials and how to reinsert them into the macro/curl before replay.- Remove internal IPs or hostnames if required by NDA; note where they were redacted.**Artifacts to attach**- Raw request/response files (exported XML/JSON)- Individual raw .txt files for each HTTP request and response- Timestamped sequence (UTC) mapping requests to responses- Burp project file or exported macro (.json) and a short README with: - Preconditions (required test account, feature flags, timing) - Exact steps to run macro or curl, expected response/indicator of bypass - Screenshots or short GIF of PoC run (optional)**Notes & mitigations**- Document any non-determinism (race timing, TTLs). If timing matters, include sleep values or recommend using Burp Intruder with defined timings.- Validate the macro in a clean session and provide a test account to avoid leaking production credentials.