BurpSuite Proxy is one of the most used HTTP proxy application for web penetration testers. This tool is one of the best in its category, but sometimes we encounter a situation requiring additional functionality which is not provided by Burp itself. Fortunately, anyone is able to extend its functionality using various plugins.
Here are some typical examples of such situation: when doing request signing or doing several requests before/after a specific user action; user session renewal, CSRF token retrieval or filling up multi-step forms. Such functionality is partially supplied by built-in Burp Macro; however, it does not provide functionality such as adding new HTTP headers. Therefore, we decided to develop a custom extension providing extended functionality.
The main functionality is the ability to execute one or more requests before each request is triggered from any Burp tool like Proxy, Repeater, Scanner, Intruder, Sequencer or Spider. These requests can be sent every time or once per given time interval. This plugin gives an opportunity to extract data from requests and puts them in the following requests (e.g. request a CSRF token, extract the token value from the response and add it to next request’s HTTP header).
Extra features not provided by BurpSuite Macro:
The ExtendedMacro plugin creates new tab “Extended Macro” in the Burp panel bar. In addition, a new context menu item is added to the application – “Send to ExtendedMacro”. The plugin consists of 3 main tabs:
Main tab provides the core functionality of the plugin. It shows a list of all requests and which data are extracted and replaced. The left panel is used for an extraction configuration – section “Extraction message list”. The right panel has a configuration of where extracted data is put – section “Replace message list”.
Here the queue of requests is shown. Using the right mouse click, you can display context menu providing options to change order of the requests or to remove requests.
After selecting the request, its content is displayed in the request/response editor. In the response editor, we can select which data should be extracted. The button “From selection” creates an extraction rule in the “Extraction configuration” panel. Now, we only need to set a name and click on “Add” button. As a result, the new extraction rule is added to the list.
Here you can view and set rules on how to process extracted data. First, you need to create an extraction rule. Extracted data defined by the rule can be put to an arbitrary following request from the same list or to any request from an arbitrary Burp suite tool.
The logger shows all requests done by every Burp tool, including requests done by the Extended Macro plugin. This is very helpful for debugging and making sure that the extraction configuration works as intended
In the Settings tab, you can set up which Burp tools are affected by Extended Macro plugin (available options are Repeater, Scanner, Spider, Intruder, Sequencer or Proxy). If a specific Burp tool is unselected, the requests defined in the plugin configuration will not be sent prior tool own requests. Furthermore, you can set up an interval of extracted data caching.