Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Expand "match and replace" to Scanner and Target/Sitemap history

Michael | Last updated: Feb 07, 2022 05:24PM UTC

Hi, i have some requests recorded in burp and want to change specific part of the http header, across all packets- for target/sitemap/scanning actions. I checked this post where a user requests for similiar feature: https://forum.portswigger.net/thread/can-scanner-works-with-match-and-replace-option-from-proxy-2cf0f62a The solution there does not cover what this user and me are requesting, as it does not allow to modify a request with regex replace, like we have for proxy. The only thing i have not yet checked back yet are the macros. But if there is no macro- or other clear and propper solution to this, then please add this as feature request. Kind Regards, Michael.

Liam, PortSwigger Agent | Last updated: Feb 08, 2022 09:55AM UTC

Have you checked out this extension? - https://portswigger.net/bappstore/807907f5380c4cb38748ef4fc1d8cdbc

Michael | Last updated: Feb 09, 2022 04:45PM UTC

Hi Liam, i know this plugin and use it a lot, but as it's name suggests, it only has ADDING capabilities, but what me and the other user mean is REPLACE functionality (preferably via RegEx). I believe this feature is essential and i am surprised burp has not consequently implemented this across all burp tools from the begin on. Please add as Feature-Request with higher priority if there is no viable solution for above mentioned Scenario. Kind regards, Michael.

Michael | Last updated: Feb 09, 2022 04:45PM UTC

Hi Liam, i know this plugin and use it a lot, but as it's name suggests, it only has ADDING capabilities, but what me and the other user mean is REPLACE functionality (preferably via RegEx). I believe this feature is essential and i am surprised burp has not consequently implemented this across all burp tools from the begin on. Please add as Feature-Request with higher priority if there is no viable solution for above mentioned Scenario. Kind regards, Michael.

Michael | Last updated: Feb 09, 2022 04:50PM UTC

(feel free to remove double-post, caused by race conditions when clicking "submit" twice)

Liam, PortSwigger Agent | Last updated: Feb 10, 2022 01:21PM UTC

Michael, could you provide us with an example of the type of match and replace that you want to perform?

Michael | Last updated: Feb 10, 2022 06:06PM UTC

Hi Liam, yes sure, at the moment i am having the scenario that the pentested system was cloned to a new subdomain, while preserving the original target. So in burps targets tab, i have all manually crawled traffic going by "testsys1.onlineshop.com". The cloned system has the exact same link structure, but is reachable under "testsys2.onlineshop.com". So i would need to replace host header and url for any outgoing request as this would spare me crawling the same target again. In a different scenario, i want to manually replace the gzip part at "Accept-Encoding: gzip" with "identity"- and even non-valid, malicious values, (i know burp handles this and many other things automatically, but still there are scenarios where we need the manual option). Another example: imagine an IP-Range with 255 targets, where 100 are protected with httpAuth- we need to automate testing for that vuln. One (older) method to tamper for vulns in HTTPauth, is to replace the HTTP Method to a method non-existant, e.g. replace "GET / HTTP/1.1" with "XXX / HTTP/1.1". Maybe the scanner has these checks integrated - i don't know, and nor does the customer. But i can't just go and tell the customer "i think this is covered by burps active scan", i need proof and so i want to check this scenario manually with own modifications. The separation from scan to manual(half-automated) testing enables me then to show the customer exactly what we tested for and if he needs this amount of detail, he can even request a list with each single request. The replace function should be applicable globally for any outgoing request, no matter from what burp tool this originates from. Kind regards, Michael.

Michael | Last updated: Feb 10, 2022 06:08PM UTC

(yes i know there is "intruder" for tasks like the last one with httpAuth.. but this is still not the same as having a generally applying, global replace option).

Liam, PortSwigger Agent | Last updated: Feb 11, 2022 10:54AM UTC

We got this working for Active scanning with the Match/Replace Session Action extension, have you checked this out? - https://portswigger.net/bappstore/9b5c532966ca4d5eb13c09c72ba7aac2

Liam, PortSwigger Agent | Last updated: Feb 11, 2022 11:14AM UTC

I've discussed your IP range example with our Scanner team. We don't think this is a task for Burp Scanner. We would recommend using Burp Intruder or the Turbo Intruder extension. - https://www.youtube.com/watch?v=jBf6i_B7fTw - https://portswigger.net/bappstore/9abaa233088242e8be252cd4ff534988

Michael | Last updated: Oct 21, 2022 02:12AM UTC