Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Need an extension to do advanced substitution

Bruce | Last updated: Nov 15, 2017 06:12PM UTC

We are using a commercial web app testing product to test a customer's massive application and we need to work around a problem in the webapp testing product. Turning the test, the product does a GET and the customer's server returns a page with these fragments: ----------------- <form name='win1' method='post' action="https://webaddress/url1"> <div id='win1div'> <input type='hidden' name='ID' id='ID' value='value1'> ... </div> <form name='win2' method='post' action="https://webaddress/url2"> <div id='win2div'> <input type='hidden' name='ID' id='ID' value='value2'> ... </div> <form name='win3' method='post' action="https://webaddress/url3"> <div id='win3div'> <input type='hidden' name='ID' id='ID' value='value3'> ... </div></form> and then the client browser should in this stem normally issue a POST like this: --- POST /url3 HTTP/1.1 ... Cookie: ... ID=3&.. ---------------------- That is, the variable ID (which is dynamically generated) has multiple values, and the client normally does a POST to a URL with a value of ID from the form that matches. And if the value of ID doesn't match, the user is logged out. Well, the webapp testing product doesn't keep track of the different values of ID in the different forms, and provides the wrong value, so the server logs the user/testing app out. So the ID value provides some session protection. We are looking for an extension that will force all of the values of ID in all of the forms to be the same, so the web testing application cannot get send a mismatched value of ID. So the extension has to first find all of the forms, then find all of the values of ID in each form, select the proper form based on the URL (or name of the form), and then replace the value of ID so they are all the same, and then present this modified page to the client. This would prevent the web testing app from using the wrong value (and getting logged out). Is there such an extension? If not, can someone point to an extension that is close so we can modify it? Thanks for all of your help.

PortSwigger Agent | Last updated: Nov 16, 2017 09:59AM UTC

Hi Bruce, Thanks for your message. Yes, you could use a Burp extension to do this. This sample extension shows how to use the IHttpListener interface: https://github.com/PortSwigger/example-traffic-redirector If you're sending a lot of traffic through Burp just for rewriting, you may want to use Proxy > Options > Miscellaneous > Don't send item to Proxy history or other Burp tool. Please let us know if you need any further assistance.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.