Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Use Match and Replace to add a script to the head on certain pages / domains?

dslaga | Last updated: Jan 07, 2021 11:38AM UTC

Hi I need to add a certain script on all pages containing a head tag. Basically replacing: <head> something something something With: <head> <script src="my/path"></script> something something something But this should only happen on specific pages, mainly from a specific domain. How can I do this?

Michelle, PortSwigger Agent | Last updated: Jan 08, 2021 09:29AM UTC

Thanks for your message. Are you looking to set this Match and Replace rule on traffic going via Burp Proxy? If so, you can use Intercept Client Requests and Intercept Server Responses to restrict which domain name is intercepted and then create a Match and Replace Rule to perform the required changes on the Response body. I hope this helps, if you have any further questions or if your scenario is not based around the Proxy Tool, please let us know.

Nicolas | Last updated: Jan 08, 2021 10:13AM UTC

I think I missed something... How would the Match and Replace rule be applied only to the traffic matched by the Intercept rules?

dslaga | Last updated: Jan 08, 2021 10:22AM UTC

Hello I'm trying to use the Proxy indeed. I don't have intercept on, so I let traffic flow without having to manually allow everything. With this, I still want to automatically match and replace as seen above. I have tried your suggestion by creating these rules Intercept Client Requests: Domain Name Matches google.com Intercept Server Requests: Domain Name Matches google.com Match and Replace: Response Body Match: <head> Replace: <head><script>alert(1)</script> It should alert 1 only on google.com, right? It is alerting 1 on every site I visit. How can I lock this only to google.com? Thanks!

Michelle, PortSwigger Agent | Last updated: Jan 08, 2021 04:50PM UTC

Hi Sorry, I may have misunderstood initially, I imagined the traffic was being intercepted. To make sure I am understanding your requirements correctly now, I'd like to check some details with you. When you have this Match and Replace rule active, are the other sites that are being proxied (and are being affected by this rule) ones that need to be sent via Burp Proxy for testing you are carrying out?

dslaga | Last updated: Jan 15, 2021 07:59AM UTC

Hello Sorry for the late reply. In the end, considering the example above, I just need to alert(1) on google.com only. So with Burp enabled, if I visit google.com it will match and replace. If I visit any other site it will not do match and replace. Basically, this is it. Currently, I am not able to do this. If I turn on match and replace by the rule above, it will replace on every site (since every site has <head>).

Hannah, PortSwigger Agent | Last updated: Jan 15, 2021 04:43PM UTC

Hi I've made you a quick extension that you can download and edit according to your specific target and text that you want to replace. You can find it here: https://github.com/HannahLaw-Portswigger/modifyResponse You will need to modify the hostTarget variable to suit your website. If you have any questions then please let me know.

dslaga | Last updated: Jan 22, 2021 11:18AM UTC

Hello Thank you for your help! I will try this out. Best regards

dslaga | Last updated: Jan 27, 2021 10:57AM UTC

Hi Quick question. Does this support wildcards like: *domain* So I match and replace inside the whole ecosystem of "domain"? If not, how can I adjust this to support? Thanks

Hannah, PortSwigger Agent | Last updated: Jan 27, 2021 12:18PM UTC

Hi For matching with the host, I'm checking whether the Host value of the IHttpRequestResponse item directly matches with my targetHost string, so you wouldn't be able to include a wildcard. You could modify it to include a new function returning a boolean value to replace the "host == hostTarget" statement on line 39. You could perhaps include a RegEx parser in your new function to determine whether your target matches the Host on the IHttpRequestResponse object, having it return true if it matches, or false if it doesn't?

dslaga | Last updated: Jan 27, 2021 01:59PM UTC

Good suggestion. Will try that. Thanks

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.