Burp Suite User Forum

Create new post

Repeater, Update specific parameter

Schulz, | Last updated: May 23, 2017 03:02PM UTC

Hey Guys, following story. I currently pentest an application where the server sends me a token in each response which is processed by the AJAX client. This token is later used as parameter in the follow-up request within a JSON structure. My question is, is there any chance that I can automatically update that value (which comes with the response) for my next request in the repeater. So far, I always have to copy-paste that value in order to try playing around with all the other parameters to find possible flaws. This gets kinda boring, as I do have to copy-paste that token every 5 seconds in order to make minor changes to my request. In the extender, I found "CPH Config" and "Extended Macro", which seemed quite promising. However, trying out those two, I still haven't found a solution to my problem. I would appreciate it, if you could help me out. I hope I stated my problem clearly. Cheers, Pascal

PortSwigger Agent | Last updated: May 24, 2017 08:10AM UTC

Have you tried the CSurfer extension in the BApp Store? This sounds like it might do what you are looking for.

Burp User | Last updated: May 29, 2017 05:52AM UTC

Hey Dafydd, appreciate your answer. Will try it asap.

Burp User | Last updated: May 29, 2017 06:34AM UTC

Alright, I was playing around with it, but I couldn't manage to achieve my desired behavior. All I wanted was like an automatic update of a value, which is used in both the request and response sent. However, the value sent in the server's response has to be taken as a substitute for the next request. It's unfortunate that it is not possible to see any changes within the request in Burp's repeater (e.g. like the modified request in proxy tab). Still, I am able to see from the server's response that the substitution was not working as expected. I am pretty sure that I got my regex right though, so I do not know where the problem lies. My only way round is still a manual substitution of parameters. Regards, Pascal

PortSwigger Agent | Last updated: May 30, 2017 03:20PM UTC

If you are trying to debug session handling rules and want to see all the actions that are performed by your configured rules, then use the sessions tracer. This should let you quickly identify what is working and where any problems lie.

Burp User | Last updated: May 31, 2017 06:13AM UTC

Hey Dafydd, I really appreciate your help and the session handling rules implementation works just perfectly fine for cookies, body params and so on. My problem is that my parameter is part of a JSON struct, which is sent as body param in a PUT request. Afaik, Burp's session handling tool is not capable of manipulating such a structure. Burp's intruder is handling it neatly what I want to achieve (speaking of GREP extract with a recursive grep payload) but as I do want to manually test the rest of all JSON keys, I cannot make us of the Intruder here. I think, I wasn't really making myself too clear so far what I really want to do, but maybe you have one last idea for me. Think of the Intruder scenario I described. Is there a way to achieve the same handling within Burp's Repeater? Regards, Pascal

PortSwigger Agent | Last updated: May 31, 2017 08:43AM UTC

Ok, I understand the issue now, thanks. You're right that Burp's native session handling rules don't support automatically updating request parameters within JSON data. You could achieve this with a short extension that deals with this specific application. Your code could register a custom session handling action, and this would need to update each request with a valid value in the JSON parameter. It would also need to obtain a valid value for use in each request, and you have two options: 1. You could just register an IHttpListener to observe all responses, and parse out the new value from each response that it appears in. This might restrict you to using a single thread, and might fail in any situation where a single request consumes a CSRF token but doesn't obtain a new one in the response. 2. You could use a macro to always capture a fresh token, and your code would run after the macro executes to parse out the token and update it in the current request. This is the more robust solution, but will involve more requests being made overall.

Burp User | Last updated: Jan 15, 2019 07:28AM UTC

Hi Dafydd, circling back to this old support case, I realised that I still need this but don't have enough time to implement my own plugin right now as you have described above. Is there any way that this feature (and I guess a lot of people would need that) makes it into Burp's Macro / Session Handling capability? It would be neat if it would be possible to have the macro extracted value inserted in basically any place but just parameters. Best, Pascal

PortSwigger Agent | Last updated: Jan 15, 2019 10:56AM UTC

Hi Pascal, Thanks for following up. The Custom Parameter Handler extension should do what you need. Session handling rules have not got a lot of attention recently because our general direction is to make them unnecessary with the new crawler. We did consider doing some minor improvements, but most things we could do easily are already possible with Custom Parameter Handler.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.