Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Automatically modifying Request Parameters

Markus | Last updated: Oct 02, 2016 02:58PM UTC

Hi, I write an extension that automatically should modify request parameters. However, there don't appear to by any changes. I am aware that the modification happen only after burp has registered them (but before they hit the wire). However, when I inspect the target website, i can't observe any changes. My (Jython) code looks like this, I hope indents work: class BurpExtender(IBurpExtender, ITab, AbstractTableModel, IContextMenuFactory, IHttpListener, IExtensionStateListener): def registerExtenderCallbacks(self, callbacks): self._callbacks = callbacks self._helpers = callbacks.getHelpers() callbacks.registerHttpListener(self) callbacks.registerExtensionStateListener(self) def processHttpMessage(self, messageIsRequest, messageInfo): if messageIsRequest: new_params = [] for p in self._helpers.analyzeRequest(messageInfo.getRequest()).getParameters(): new_param = self._helpers.buildParameter(p.getName(), 'NEW VALUE', p.getType()) new_params.append(new_param) for np in new_params: messageInfo.setRequest(self._helpers.updateParameter(messageInfo.getRequest(), np)) # To confirm my changes I use for param in self._helpers.analyzeRequest(messageInfo.getRequest()).getParameters(): print param.getName(), " is now ", param.getValue() # and i get a long list of "foo is now NEW VALUE" Is the way I want to change every parameter of every request correct? I read that only certain types of parameters can be changed that way, is there a workaround, for example removing these parameters, and then add a new one with the same name and type, but different value? For now I just want to change every parameter, and take care of a smart selection later on.

PortSwigger Agent | Last updated: Oct 03, 2016 08:57AM UTC

From your code, it appears that it should successfully change the values of request parameters. Perhaps try chaining a second instance of Burp as upstream proxy from the first, so that you can see the actual requests that are hitting the wire. If you want to perform different actions on different parameters, then simply inspect the parameter name or type and decide which ones your code should modify.

Burp User | Last updated: Oct 04, 2016 07:52AM UTC

Thanks a lot! Chaining the second proxy shows me, that all parameters are indeed changed :) And yes, I want to change different parameters according to their type, but updateParameter just supports 3 different parameter types. If I find a not-supported parameter type, can i just remove the parameter from the original message, and add a new one - same type, same name, different value?

PortSwigger Agent | Last updated: Oct 04, 2016 08:42AM UTC

If you want to modify a parameter type that updateParameter doesn't support, then you will need to write your own code to manipulate the request and change the parameter value according to its type.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.