Burp Suite’s Match and Replace rules allow you to change parts of a request and a response — which can be a significant help when testing web applications. In this post, I’ll show you how to create them, so that you’ll know how your web applications will react under various conditions.
The reason that I’m writing this post is because of a question on an earlier post about intercepting requests and modifying responses with Burp Suite. The person wrote:
Your article is very good. I need your help regarding changing whole content in response body in burp there is “match and replace” tab in burp proxy options. Inside it is function called “response body”. So how to configure that? Let’s take an example. the site is http–time,akamai,com and it shows current time. So how to configure that “response body” option to show fake time (eg. 00000000) when i request that akamai url. And also how to make it happen “response body” replace should work only on akamai site, not all other site.
Reading it, I thought it through and realised that I’ve not yet learned that aspect of Burp Suite, so I wasn’t sure how to answer them. However, that’s as good a reason as any to learn; right?
And after a little bit of digging and experimentation, I found out how. After doing so, it seemed to make more sense to write up a blog post covering how that particular bit of functionality works than answering directly in the comments. There’s more opportunity to dive deeper and to add supporting images and other content than you can with a Disqus comment.
Match and Replace, as the name implies, provide the ability to find (or match) and replace certain parts of requests and responses, as they pass through Burp Suite’s proxy. Currently, you can match and replace the following:
At first glance, that might not seem too compelling. However, the match can be performed using static strings, or regular expressions. As a result, depending on your regular expression prowess, you can make some pretty fancy changes.
There are all kinds of reasons why you might want to replace certain parts of a request or a response. The main one, however, is seeing how the application responds when input changes unexpectedly. For example:
There are loads more things that you can think of, I’m sure. However, these make for a good start.
Let’s assume a fictional scene. Say you want to do something trivial, like replacing (or removing) the X-Powered-By header. Why? Well, this is a trivial introductory example, so you don’t need a big “why”.
However, one is to automatically change the X-Powered-By header to something like X-Powered-By: MyWeb, JSP/2.2.
That way, you could simulate a different web technology.
Alternatively, you could change the HTTP response code, to see how an API client might interact.
I’ll leave the brainstorming up to you.
So, let’s push ahead and change the X-Powered-By header.
Click the “Proxy” tab, then click the “Options” tab.
About halfway down the page, you’ll find the “Match and Replace” settings.
By default, Burp Suite comes with 12 pre-defined, yet disabled, rules, which can change the request and response headers. They’re an excellent starting point for learning how to create rules.
To create a new rule, as none of the pre-defined ones does what we need, click “Add”, and you’ll see the new rule dialogue appear. Click the “Type” drop-down and click “Response header”.
Then, add ^X-Powered-By.*$ as the “Match” criteria.
This string is a regular expression that matches on any header string that starts with X-Powered-By.
As there should be only one, if any, then a simple match is all we need.
Next, set the “Replace” text as X-Powered-By: MyWeb, JSP/2.2.
Then, set the “Comment” text to be Replace the X-Powered-By header.
And finally, check the “Regex match” checkbox, and click “OK”.
Now, we have a new rule ready to go. After that, make sure you have some Proxy rules ready to go, so that you can intercept requests to a site that you know has an X-Powered-By header.
Then, make a request to the site and tell Burp Suite to intercept the response when you forward the request through Burp’s proxy.
When the response is intercepted, you’ll see in “Raw” response, that the X-Powered-By header’s been replaced on the fly for you, as in the image below.
And that’s how to automatically match and replace certain aspects of requests and responses, using Burp Suite. It’s a pretty handy tool for automating modifications, alleviating the need to do it manually each time. Have an experiment, and see what kinds of ideas and use cases you come up with for your testing needs.
As I’m still pretty new to using this aspect of Burp Suite’s functionality, I’d love to hear your experiences in the comments.
A new health record management system is going live in Australia soon. It’s called My Health Record. It will affect every Australian (and potentially temporary and permanent residents as well) as it will store some of their most intimate information — their health records! But do the risks of such a system outweigh the advantages?
Recently, I’ve moved into security at ownCloud. As part of the new role, I’ve had to invest lots of time learning about web application security attack vectors and about applications and tools for testing security.
Earlier today, I upgraded my installation of Google Chrome from version 68 to version 69. While not a major upgrade, there’s a key security update that I want to draw your attention to. Here’s a quick look at it.
There are so many things that we have to get right to creating secure applications. From input validation to output escaping, secure applications take time, effort, and dedication. However, there one thing that doesn’t take much effort, but offers a quick win. Response headers!
Please consider buying me a coffee. It really helps me to keep producing new tutorials.
Join the discussion
comments powered by Disqus