Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Need an extension to do advanced substitution

Bruce Barnett Nov 15, 2017 06:12PM UTC

We are using a commercial web app testing product to test a customer's massive application and we need to work around a problem in the webapp testing product.

Turning the test, the product does a GET and the customer's server returns a page with these fragments:
<form name='win1' method='post' action="https://webaddress/url1">
<div id='win1div'>
<input type='hidden' name='ID' id='ID' value='value1'>
... </div>

<form name='win2' method='post' action="https://webaddress/url2">
<div id='win2div'>
<input type='hidden' name='ID' id='ID' value='value2'>
... </div>

<form name='win3' method='post' action="https://webaddress/url3">
<div id='win3div'>
<input type='hidden' name='ID' id='ID' value='value3'>
... </div></form>

and then the client browser should in this stem normally issue a POST like this:
POST /url3 HTTP/1.1
Cookie: ...

That is, the variable ID (which is dynamically generated) has multiple values, and the client normally does a POST to a URL with a value of ID from the form that matches. And if the value of ID doesn't match, the user is logged out. Well, the webapp testing product doesn't keep track of the different values of ID in the different forms, and provides the wrong value, so the server logs the user/testing app out. So the ID value provides some session protection.

We are looking for an extension that will force all of the values of ID in all of the forms to be the same, so the web testing application cannot get send a mismatched value of ID.

So the extension has to first find all of the forms, then find all of the values of ID in each form, select the proper form based on the URL (or name of the form), and then replace the value of ID so they are all the same, and then present this modified page to the client.

This would prevent the web testing app from using the wrong value (and getting logged out).

Is there such an extension? If not, can someone point to an extension that is close so we can modify it?

Thanks for all of your help.

Paul Johnston Nov 16, 2017 10:26AM UTC Support Center agent

Hi Bruce,

Thanks for your message.

Yes, you could use a Burp extension to do this. This sample extension shows how to use the IHttpListener interface:

If you’re sending a lot of traffic through Burp just for rewriting, you may want to use Proxy > Options > Miscellaneous > Don’t send item to Proxy history or other Burp tool.

Please let us know if you need any further assistance.

Post Your public answer

Your name
Your email address