Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All
Documentation

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite
Extensibility

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility
Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Need an extension to do advanced substitution

Bruce Barnett Nov 15, 2017 06:12PM UTC

We are using a commercial web app testing product to test a customer's massive application and we need to work around a problem in the webapp testing product.

Turning the test, the product does a GET and the customer's server returns a page with these fragments:
-----------------
<form name='win1' method='post' action="https://webaddress/url1">
<div id='win1div'>
<input type='hidden' name='ID' id='ID' value='value1'>
... </div>

<form name='win2' method='post' action="https://webaddress/url2">
<div id='win2div'>
<input type='hidden' name='ID' id='ID' value='value2'>
... </div>

<form name='win3' method='post' action="https://webaddress/url3">
<div id='win3div'>
<input type='hidden' name='ID' id='ID' value='value3'>
... </div></form>

and then the client browser should in this stem normally issue a POST like this:
---
POST /url3 HTTP/1.1
...
Cookie: ...

ID=3&..
----------------------
That is, the variable ID (which is dynamically generated) has multiple values, and the client normally does a POST to a URL with a value of ID from the form that matches. And if the value of ID doesn't match, the user is logged out. Well, the webapp testing product doesn't keep track of the different values of ID in the different forms, and provides the wrong value, so the server logs the user/testing app out. So the ID value provides some session protection.

We are looking for an extension that will force all of the values of ID in all of the forms to be the same, so the web testing application cannot get send a mismatched value of ID.

So the extension has to first find all of the forms, then find all of the values of ID in each form, select the proper form based on the URL (or name of the form), and then replace the value of ID so they are all the same, and then present this modified page to the client.

This would prevent the web testing app from using the wrong value (and getting logged out).

Is there such an extension? If not, can someone point to an extension that is close so we can modify it?

Thanks for all of your help.


Paul Johnston Nov 16, 2017 10:26AM UTC Support Center agent

Hi Bruce,

Thanks for your message.

Yes, you could use a Burp extension to do this. This sample extension shows how to use the IHttpListener interface:

https://github.com/PortSwigger/example-traffic-redirector

If you’re sending a lot of traffic through Burp just for rewriting, you may want to use Proxy > Options > Miscellaneous > Don’t send item to Proxy history or other Burp tool.

Please let us know if you need any further assistance.


Post Your public answer

Your name
Your email address
Answer