Burp Suite User Forum

Login to post

Custom Macro Parameter in URL Definition

Ben | Last updated: Oct 20, 2017 09:07AM UTC

Hi Portswigger Team, I've noticed that more and more websites use a one-time login page. The landing page defines a one-time valid login request. Since the one-time value is in the URL itself and is no GET parameter (I know that you can add custom GET parameters), it can't be set as parameter in a macro definition (to deal with anti CSRF tokens). Example for such a login request would be https://somedomain/heyho/ONE-TIME-VALUE-HERE/somestuff/as/authorization.ping So what we need in the future is the ability to define a custom parameter IN the URL itself, which takes the extracted value of a previously made request. Thanks in advance!

PortSwigger Agent | Last updated: Oct 23, 2017 08:10AM UTC

Hi Ben, Thanks for the suggestion, and explaining the use case. We do have a plan to expand where session handling rules can update values to include JSON/XML parameters, HTTP headers, and path parameters as you suggest. We'll treat your request as a +1 for this feature.

Burp User | Last updated: Nov 29, 2018 01:10PM UTC

Hi, I have a very similar requirement. Is there any news about the described feature for session handling? Thanks!

PortSwigger Agent | Last updated: Nov 29, 2018 01:55PM UTC

Hi Harald, We've not made any progress on it so far. In fact, with the release on Burp 2 our focus has moved to making the crawler handle more of these scenarios automatically. If the Burp 2 crawler isn't working for your, there are some Burp extensions that let you do this. For example, Custom Parameter Handler in the BApp Store. Please let us know if you need any further assistance.

Tilman | Last updated: Jul 13, 2021 10:19AM UTC

Hey, Is there any news on this? I remember seeing the macro functionality on a roadmap for 2021 somehwere? Meanwhile: Are there any plugins/hacks people have been using to insert dynamic parts into URLs?

Liam, PortSwigger Agent | Last updated: Jul 13, 2021 02:22PM UTC

Have you tried using this extension? - https://portswigger.net/bappstore/a0c0cd68ab7c4928b3bf0a9ad48ec8c7 Our most recent roadmap update: - https://portswigger.net/blog/burp-suite-roadmap-update-july-2021

Tilman | Last updated: Jul 13, 2021 04:30PM UTC

Thank you Liam, while I haven't yet tried the Custom Parameter Handler extension, I did find another one very useful: Stepper (by Corey Arthur @CoreyD97) has proven itself to be THE TOOL for my purposes. Anybody looking for a way to do a sequence of requests, extract variables and reuse them in following steps: definitely give Stepper a try. The fact that it allows you to also include the variables in (among other places) the path, makes it seem an interesting candidate for testing restful APIs.

Liam, PortSwigger Agent | Last updated: Jul 14, 2021 09:51AM UTC

Thanks for the update, Tilman.

You need to Log in to post a reply. Or register here, for free.