AutoRepeater: Automated HTTP Request Repeating With Burp Suite

cool I'm gonna start now all right so like roughly how many folks in the audience use verb sweet on a fairly regular basis for their jobs all right so there's a couple of people here like this tool is gonna be so good so here's a rough agenda of what I'll be talking about I'll go talk about Who I am author is authorization testing with verb sweet and no plugins like the general workflow which I'm sure most you folks do that's what I was doing before I wrote Auto repeater then the other plugins that I ripped off to build my plugin I took a bunch of ideas from a bunch of existing tools for testing this kind of stuff and sort of

work together the best ideas and my tool then I'll talk about the features of auto repeater I'll demo it walk through some of the features and there'll be some time for questions so my name is Justin Moore I'm a senior security consultant at NCC group I spoke at besides rock last year about a different bird plugin I wrote an alternative to the decoder tab inside burp suite I had some not so choice words about like building burp suite plugins most of that stands true and then as far as my job like you hack stuff you do all kinds of things marked my coworker marquel Cory he did a Wi-Fi training up with him to Jason Ross so for those unfamiliar with

Sweden like the 75% of you who might not be familiar so burp suite is an intercepting HTTP proxy that allows you to modify and send data so basically you have a web browser you point your web browser at burp suite you navigate through a web application it sends HTTP requests burp allows you to view those HTTP requests that you wouldn't otherwise be able to see and then you can also like modify them and let them through or resend them multiple times or just kind of assist in doing like web application security type tasks there are a few other like HTTP proxy type tools but basically burp Suites a de facto tool it's what everybody uses if

you're like a professional pen tester more likely than not you're going to use this unless you have like strong feelings against a purchase we manually use like this app maybe or there's a few other men in the middle proxy but basically like if you're doing web application security burp is what you use it's what you have so the reason I built this plugin was so applications are getting like really complicated now so you have a web application it'll have a bunch of different roles or organizations like really complicated like permission structures right this introduces the risk for authorization mistakes so if you have an authorization issue inside of the web application at a minimum you're going to get an

information disclosure your bug which is like not that great but it's a book you know I add a worst you can get like privilege escalations so if you're let's say a regular user and you can interact with some like administrative API is you can become the administrator and do that's the link to that permission level and then also there's other instances where like maybe you're able to escalate to administrative permission level and then use that to like reset credentials for other accounts and hijack of their accounts so it really opens up like a quite a large array of security issues that you're going to want to test for that are common and they're difficult to

prevent against so you know you have these new like I've been doing that I've been a professional pen tester for like three years now and the further I go the more complicated the web applications get so like at a minimum you have like a web app right you're gonna have regular users you're probably gonna have like a semi admin role like a super admin role whom the company has access to maybe there's like different organizations within it so my we'll get an account we're all inside one organization there's another company they all have that so there's like that segmentation there there's these different role structures sometimes the permission structure will be set on like a matrix so it's like you can assign

different like sets of things an account can do on a super complicated grid and then when you're building these web apps the way this is all like done usually at the source code level is all of this authorization checking is done in an opt-in fashion so let's say you're using ruby on rails or Django or something or whatever your web app framework choice is you're going through and you're exposing endpoints for your web application you have to specifically either add like function calls or annotate specific functions exposing this these endpoints with the authorization checks so if you have like a ton of endpoints exposed and a bunch of authorization like a bunch of rules and whatnot then you have to like do all

that explicit checking it's difficult to do and then on top of that there's not really a good way to automatically link for this kind of thing because it's unless you're using like a specific framework that like ties in with the web app framework you're using to build these things you're not gonna get free tools to check these things for you so I've seen clients will build their own like linting tools that will go through the source code and make sure that specific functions are annotated in specific ways to make sure that the authorization checking happens there but unless you have like a really complicated development like process and a security team was thinking about these

things you're not gonna be doing these while you're building web apps so for like 9 to 10 different companies where we're doing these tests they don't have that super in-depth like custom code analysis built in every time they like check and get so what we have here is like people have built a really complicated thing that's hard to just like fix at the framework level into these really big web apps so you're gonna get like free bones or it's gonna give you the chance to like finally stuff you wanna reduce and then like I said the apps are enormous like it's super common you know you sit down for a two by two pen test or it'll be you and

another person for two weeks and it'll be like API endpoints they'll have like six different roles and then you have to go through every single one it's like give the check authorization on this hundred different API endpoints so at a minimum there you have like 600 different requests you need to make or like a bunch of tweaking and it's like the most tedious thing ever like if you don't have source code access it's basically impossible to do correctly unless you have like the patience of a saint and you're super attentive and you can go through and have like the best note keeping to make sure you go through and change everything and then maybe there's

like parameters inside those requests like to check all those parameters and make sure there's nothing funky in there so it turns this like thing that is definitely something that should be checked during the like an application penetration test into this huge laborious like rigmarole of the process that is difficult to do by hand and I'm sure people are just use burp suite to like a web application test there's like a super standard like workflow that everybody has so it's like basically what you'll do is throw those familiar with burp suite there's a repeater tab so you'll be going through a web app you're like okay I should check this HTTP request for authorization issues okay so you send it to repeater then you

go through and they're like let me change these like ten different things I'll resend the request a bunch of time maybe I'll log in as a couple different users have valid sessions for those users swap session information in recently requests go back through and then it's like just keep prints and repeating that until you either like run out of things to test which is pretty unlikely in a super-huge application or you run out of time because the client doesn't paid you a ton of money to do this so it's like really tedious it sucks it's like the least fun thing to do on a test usually just delegate it to a junior person because there's not

really any super technical thing you're doing here like you're just like okay I have this one request here I want to try it as a different user does this request success to succeed or fail as the other user it was like for a different organization or you know anything you'd want to test for general like authentication flow so I have a burp suite set up here for those unfamiliar so it's a so basically this is the repeater tab and if you're doing this kind of testing so you see here this is the request for doing like a search on Google we're gonna have to do like a little imagination here because I didn't like setup a whole lot up or anything so

you can see here there's what like one two three of the four different perimeters in the URL and then another I don't know like four or five cookies so at a minimum you're gonna want to test all of those things now imagine if you actually had to log into this application and like maybe there's different roles or whatnot so you're gonna have to go through and resend this request for like let's say for your application you have like a regular user which is like everybody in your organization then you have an a moderator user who can like control groups of users inside the organization and then there's maybe a billing user who can do things like pay for your

billing stuff or maybe they would read only user that shouldn't be able to change anything and then like a regular menu there so you have like that's a pretty standard authorization model and you're gonna have to check this request with all of those different like sessions so you have to login it's each of those users or get like developer credentials for all those users a lot of good as that user make this request as those user and then check in like okay did it work or did not work and then you have to do that for every single endpoints and it just involves a lot of like okay so I hit the go it sends the request you look

at it okay is it good and then you go in here and you're like I search besides rock or go I'm gonna have to say besides rock to here for whatever reason it's and make another request and it's just you just do this forever and it's like hours and hours and hours of you that are sent to like you have this pain you tweak a little bit of data you resend and you look at it which like sucks so bad if you have like a complicated application and there's you know you want to check all these end points like oh I got to make sure that they'd have authorization checking and they do this and I do that if your whole

day is spent like twiddling data inside repeater and it's not fun and super tedious so because it's not great that's so so a lot of people have not like that so I think three other people are four other people have thought about how to make this less with burp suite so basically so basically these other people have built these other plugins to deal with it these are the three main ones I think mine is the fourth I didn't see any other ones I've used all of these and then I decided they weren't adequate so I put my own but they all looked really good ideas so the first one I used was Ozzy which has been

around for like four or five years as far as I know it's the first like authorization checking poison herb herb suite and basically the process for it is you go through an application and then you like right click requests and send them to Ozzy and then you can specify cookies the change inside of it and then it'll have like a bunch of requests that you have queued up and then you have the cookies you've changed then you click like resend or whatever the button is and then it'll go through and resend all of those quests with a cookie replaced which is better than nothing but it still involves you having to go through and like to know which

things need to have authorization testing and it's that's too much for me I've been it's it's it's too much too many steps so this is what it looks like you can see here like they just took your point over the top and then their requests that you're gonna change and then like the new responses after they've been recent it works pretty well I recommend everybody check it out it's a good starting place then there's off matrix which is as far as I can tell the most popular authorization testing plugin this one's a little bit handy it's basically just like a strictly better version of Aussie you can set up these complicated authorization matrixes and like denote

oh this request is like a logged in user this request is this role it's pretty handy but it also has the same problem with obviously where you have to go through and send a bunch of stuff up beforehand so you have to like send a bunch of requests to it build up is complicated when authorization model that you're checking against and then you go through and resend it all and then you go through and check and it's on you see where the issues are it has the most stars on github which is how I determine it's the most popular it's apparently very popular and quite good I suggest everybody to look this is what it looks like what it looks like the oh

yeah there's a little so you can see there where there is like you set a bunch of these different like roles any other employees and managers and HR harder and all that and you can set them up and then those requests map to those and you can like fill it in the checking model and then it'll make all requests as the other users which is handy and it seems like a really good idea it's just everybody try it but setting that whole thing up is like I don't have patience for that a lot of times you're not going to know what the important thing to check authorization are until like you're doing the test so then it's like

go back through and like change things and then maybe you find out like new roles or something later on it just setting this kind of stuff up is like now may not majoun and then the last one which is the reason I actually built auto repeater is authorized so auto repeater stole the one thing from authorized which is I think probably the best feature of this one and super useful so for a little backstory I was on a test I found out about authorize and basically this application was like had like four rolls there was like a user billing user the user and admin user and then different organizations and it was a simple way up you could view like

information about likes it had like a UI or you could like see information about like how apps you deployed inside their platform we're doing and I was like I need a better way to test this I have to test authorization all these endpoints so I downloaded authorize and what you can do with authorize is basically turn it on and it will go through and do automatic find and replaces on requests as they're going through burp suite and then make a replacement on the request and resend the request so I like logged in as the admin user I logged in as like the regular user like a non permission usually a read-only user and then I told

it to replace the session cookie I browse the website and resend all the requests then I was able to go through and check for places where they weren't doing authorization checking correctly and like a regular user could read like admin only data that they weren't supposed to be able to so I thought this idea was really good however you can only replace one thing at a time which meant even for doing the testing I was doing so I had like four roles had to go through the whole application four times and it wasn't great like it just took too much time and I had to go back through and they fit log back in and I

was like I could do this faster and better in a more efficient way so this is what it looks like basically it does a little like magic for you and check to see like how the authorization checking was performed on specific requests or repeats I just does like some simple regular expression type stuff too like diff them against the original request and the secondary request it's also very good I don't think there's a whole lot of reason to use authorize anymore now that all the repeater exists but mine is like a spiritual successor of it and this is where I got most ideas from so so for auto repeater I was like I really liked

the idea of being able to just turn a thing on you press a button you browse a website it just starts popping requests for you starts making them all over the place I like that idea there's not really a whole lot to set up it takes like two seconds to set up you're like pasting a value like I want this cookie to be replaced out so they're cookie all of the requests to go to burp suite test setup super great does them all it's really nice burp suite also has ability to do fine and replaces within requests that patch to the proxy so the proxy settings you can set up like an automatic binder in place

which will just automatically do replacements in line if you wanted like strip out a specific header or something you could set that up within the proxy itself and it'll just like always strip out that header if you wanted to do like make sure like your pages are cached or anything you always got a fresh version and then also I really like the repeater tab where you could like send things to it and like twiddle around with things like that's super useful and I like the idea where there's like the two panes and you can see things really easily so basically what I did was I took all of those ideas and I rolled them together

into one neutral auto repeater with more of a mindset of building a really good authorisation testing tool but also something that's good for doing more general-purpose testing where you could just like you know like if you want to replace anything and make new requests if you do anything you want to check cross-site scripting all the requests very easy to do with other computer so this is what the general UI looks like on the Left top left hand corner there's a log of all of the requests that have been sent from auto repeater you can't see it but up at the very top there's a bunch of tabs so there's like different tabs which all have a new UI

of this so if you want to set up any number of replacements you can have them all differentiated in different tabs so the top left is all of the requests you've sent I've been there is the deactivate and activate button which wants you to turn on in front of a repeater I've down on the bottom and the bottom of the screen there is the like the request response view that repeater has along with a different window so I took a string diffing algorithm that will automatically take the original request and the original response and diff them against the modified requests in response to allow you to quickly see like oh I tweak this value what does it

look like like what's the respond differ and how's it request different so you can see in those two I tweaked like I don't I don't know what I changed but I changed something and then you get like a different time stamp which makes sense but it didn't actually impact the response a whole lot and then up in the top right hand corner is how you configure on a repeater you can set up base replacements so if you have things that need sea surf tokens to be replaced you can have that set so you could always have new requests go out with like a sea surf token or a session cookie or something that's going to

break a request you can set that to always be replaced and then ever your place when you set you can go through and you add new ones and I'll just do a placements for years ago so this is all the features I basically just covered all of them this is the whole gist of them again it's basically like the built-in features in burp suite plus the authorized like idea rolled together into one tool to make a more general purpose so to be honest I've never actually used burp macros to any like success so burp suite has like this macro process where correct me if I'm wrong you can have it like go through and like it'll like update like repeater

tabs or something for you and you can have it go through and like automatically do different like replacements for you is that correct yeah yeah so I looked at that while building on a repeater I was kind of halfway through building and I was like oh do macros replace this they don't and I can't exactly remember why but basically the way you would do like see surf toe current placement is this is you just like copy the sea surf token value you'd set up a replacement for either to like strip it out or delete it or replace it with some other accounts user token and then you could just go on your way making requests so it's definitely I

think easier because I've never been able to make that work inside bricks weed so it would be good for that the things I didn't talk about it has remained redeemable tabs like repeater does if you didn't know repeater you convenient ABS it does logging in that thing the window you can export to CSV s so if you do a bunch of testing and you're like oh I need to like dump all this data alley and like copy it into a report or something that's super tedious and burp suite as is you have like copy things out by hand and it's like not super nice so there's just like an export to CSV thing and then you can

turn it on and off which is something that I really like that about arises it's Brandi and then here's kind of like the more general like use cases for it so like I said it makes it super easy to test every request made from one user as multiple other users so you just go through and setup replacements like so you go you log in as everybody every user so you don't live in five roles you login as all the five you've world users and then you take and paste in our set of replacements to replace the current users session with the sessions from the other users and then you basically just browse the website as normal and it will

just go through and send all the requests for you as burp is receiving them and we'll do a find and replace and we send the request if you want to strip out authentication on every question one thing that authorized does for you is you can have a test for a lack of like a session cookie or something so we'll go through and read request everything with that such a group you missing so you can go through set up replacement for the session cookie just don't put a replacement value and it'll go through and try those requests with the session cookie missing then you can do the see sort of type stuff you go through and

like let's say there's a header that does see serve checking or maybe a value you just go through each either strip that out or change it or do both at the same time and try every request like oh let's see what happens I get rid of this one let's see what happens if I change the content title once like poppins would whatever and Auto repeaters will just continue on and receive your requests and send them out as is then for more like general purpose things so there might be something like an email parameter that comes up a bunch or like like an organization name or like a user name parameter or something like that where you're gonna want to go through

and like try and replace that parameter with some other parameter for every single instance of it inside the application which we really tedious to do if you're doing this by hand because you go through and you have to like go through your logs and search for it find these as you're testing which can definitely be error-prone you know you're testing for these it's very easy to miss specific endpoints so if you see an email perimeter in one spot and you're like oh or user name parameter you just set up an auto repeater replacement and then auto repeater will and every time it sees that parameter it'll go okay I'll switch this out for a different email address resetting the

request and then you'll be able to do the response and then also you can like mix and match these very easily the way Auto repeaters built it's really easy to set up like a base replacement for like oh I want to try this out see surf and I want to try as a different user where I want to try emails or I only want to you know really kind of kind of whatever it's super general-purpose I built it with that idea to not limit you to have to do authorization testing with it you can really use it anyplace where you think you're going to be doing the changing aside repeater often instead of doing that you switch it over into auto

repeater you set up auto repeater to do the replacement for you automatically and then I will just go through and automatically replace that I use four units in the bail for you so here's a demo with the tool which I'll kind of show out show how it works because some folks have been having trouble kind of understanding the gist of it so I figured I'd cover that here so here's that request that I did earlier for the Google and poignant I did a Google search point and this doesn't have to be set up this way I have Auto repeater to just check any outgoing requests from verb to just do find the replacements on that

you can set up auto repeater to only conditionally replace things so if for instance you only want things ascent from repeater to have replacement before not performing them you can do that if you only want like things coming from proxy or things coming from intruder any of the burp suite functionality you can filter based on that you can do it - only in scope domains as you can tie that back but right now this will work for it it's just catching requests going out of group suite so let's make sure this still works my internet died oh yeah okay here we go just slow so this is like the regular request no changes to it I sent it from repeater that's

good so we see here that I have this b-sides Rochester 2 thing from before and then I was touring with let's go inside auto repeater and let's like always change the occurrence of Abbie sighs Rochester 2 - I don't know just like a bunch of eighties so you go inside auto repeater and you go to the under the replacements you click Edit because I already have one existing and then you can do a request parameter value there's a whole bunch of different ones so if you want to change headers or change the whole request body so it's like a post body then matches specific things that you always want to replace you can automatic room automatically

replace that you can do replacements by parameter name by parameter value by cookie name or value the whole first line of the first header and the request arbitrary strings you can add headers you can remove parameters and values remove cookies and then one where you can match parameters name and then replace the corresponding value for that parameter within the request but I'm just going to use request string because this will just match every single occurrence of b-sides Rochester with it that goes through this at sea it'll find a replace it with a bunch of days or yeah so it's doobie sighs rock and we'll do a bunch of days and then you can have it replace you that the

first occurrence or every occurrence of it let's just do the first occurrence cuz that makes sense and then if you have something conditionally that you want to match you can have it set to match on regular expressions so you would just flip this on that this I just want regular string matching so we're not going to put that on and then you enable it and then you activate Auto repeater to make sure that it's turned on and then if we go back to the repeater tab and send this request again it'll go and then you'll see on a repeater flash so every time auto repeater sends a request it will flash the reason it does that is because

before I would have it turned on and forget it was turned on so we'd be making all these requests there's no visual feedback otherwise that request would being generated by auto repeater so I added this to make it quick and immediately obvious that auto repeater was doing something so it flashes and then we can see here that if we dip it you can see that b-sides Rock was switched out for a bunch of A's and then one thing about the content de thing is if they're really huge responses then diffing is like a super CPU intensive process so there's a hard limit I'm like a hundred thousand characters or something on those lines where it'll

stop dissing past but regardless we can still view the modified response and it's just like a huge amount of JavaScript which is why this was like too much to diff I'm assuming this is like the Google like what it gives you back when you search something it's probably not all that different from the original one because that's a valid it's a like a valid replacement so then to show those conditions work so there's these conditions over here so let's say you didn't want replacements to occur for things like advertising frameworks included within an application so a lot of times like you'll be testing like I don't know a uit version of the web something and they'll put in all these

like tracking website are these tracking and analytics packages right into the JavaScript so you'll be testing it with burp suite and it'll be making a whole slew of requests you'll see all these things to like double click and all kinds other stuff and you don't want replacements to happen on those because one that's out of scope and two it's gonna like fill up your Auto repeater logs so you can just flip this to make sure that it only happens for things that are in scope right now I don't have a Google in scope so I send that you can see that auto repeater doesn't do anything because that's out of scope and then if I go and add it back in the

scope where the add scope

so so if you'd added this to the scope and then resent the request it would work which is something that's basically super important but also other types of conditions so like if you want to make sure that only requests that contain parameters have these kind of replacements occur or that the HTTP methods are either not like get or post and these are all the ones that are the default for the burp proxy so if you go to the proxies page and look for options and then these here I just kind of stole these things and build those into my tool because they seemed like reasonable like primitives or defaults I also took basically all of the

features supported by the conditions here they work the same an auto repeater implemented them all so if there's some kind of conditions that you like to set up inside a proxy the whole new proxy specific requests Auto repeat it can do the same and then one example of the base replacements so there's a little bit of a bug in the base replacements right now where it sends extra requests but might be first soon so like I was saying earlier about the like C search okay so if you go changing requests inside of or you start changing it like authentic authorization headers and cookies and one on inside of a request and you don't update like the C surf

header the requester is never going to work well you're going to go through it's gonna feel the C search and then you're wasting your time basically like you'd have to go and like have a matching C surf token and make sure that matches the authorization header and you have to do more than one replacement to leave actually work so I added support for base replacements and basically what base replacements will do is it will bundle together all of the base replacements you have and apply them to the request and then it will take that request with all the base replacements perform to it and then for every replacement defined it will resend that request so so for example let's say I

want to change the let's try I don't know let's try the referer header so let's change let's always switch out google calm for let's say like not google.com anymore and then we'll just do the first one that might actually not I was gonna hit the host header whatever it'll change the Hostetter so now every time it sees that it'll switch it out but first it's only gonna make it's only going to generate one request because the base replacements were all applied together so then if we resend the requests here it's cooking internets a little slow alright so it did that there we go okay so it does it sent two requests because I have a bug in there right now it

starts generating extra requests it sends one let's see over the to request so we dip those two it did it said one request for only the base replacement was applied and then it said one request way the base replacement was applied along with the regular replacement and then if you had any number of replacements you would just see additional ones where the base replacement was applied and then the other ones too then your screws actually so you know so this specific tool doesn't handle that particularly well right now I just ran into that like literally like three days ago or something four days ago where so you're talking an instance where like every single request has a different see

surviving so honestly this doesn't work super well for that because it doesn't do like dynamic parsing requests however I think it should support that in the future I think it would be really nice to have some way to pull that out of like Oh search for some regular expression within the request and substitute that value in here that's super easy to build and I think that would be a good feature to have I would really appreciate it it will open an issue on the github page and I'll get to it in the near future but yeah so in that specific instance automated tools need to be smarter than this this one's kind of like a little dumb but often is

the case where either like one session will have the same sea surface open for the entire session or one you know it doesn't change super frequently if it's changing constantly than it does on repeated manage that super well and maybe that would be a good place to use in the leg macros but uh yeah for the time being it doesn't do that but if you have the other scenario where it's like a constant value for all of it then you're then you're good yeah so also like I said there's your name was a tab it's close that one so you can close them out you can rename them you can make new tabs they're all separate you can have a

whole bunch of stuff so if you have different users you can set those all of them as those separately and they all just run basically their own instance of auto repeater and they kind of operate on their own there's also an export button so like I said if you want to export like all of the tab logs and you a CSV or only selected ones and then if you want a log entry at a long entry wants to fill h-2b request you can export those to either CSV or JSON super easily or whatever your preference is and that's basically all of the general features of auto repeater and kind of the gist it's set more to replace like

burps proxy functionality than something more dynamic and that's kind of that's true for I think all of the other tools is they don't do a lot of automated like response parsing or look for things fancy I think that's a really good place where they could improve and I definitely think it's something that should be done because I had the same issue like not even last week I was like oh I can just use like this will be great and then it it changes every requested on the car and I got to do this by hand so auto repeater not perfect but I think it does cover a lot of bases as far as words of advice for

building similar tooling like this so last year I built decoder improved because like three years ago or so now I had a co-worker who was like I really loved if the decoder tab in burp suite had tabs so like our repeater has tabs of decoder had tabs which is like a super easy thing to build and you figure we'll just have that so it doesn't and I was like okay well I want to build a group so you plug in because I use a lot so if you have a good tool you want to be able to extend it so one of my co-workers had a training on building burp suite plugins I was like okay great

I will build burp suite decoder but with tabs all's I will need to do is build a tab frame inside swing and then take decoder the decoder tab and put that in there and then just like it'll just be done burp suite plugins don't work like that it's a huge remember always spending a year building this full swing UI and socks and ice bugs in it and I issues I need to fix so I don't know why I decided to build Auto repeater as a built-in burp suite extension besides I guess that it makes it a little bit easier for other people to use there's like a standard B app store that you can go to and download things from so it's

nice but I think in the future if you're going to be building tooling that is like proxy requests and making changes not like dynamically and doing things or like processing data in some way or like spidering data that kind of thing really automating any process of like any of the pen dosing process instead of building things natively into burbly the plugin interface you should look at using like its own your own standalone headless proxy something like man the middle proxy or my coworker wrote this go proxy called puppy proxy which is built to do like that kind of thing the benefit of that being you don't have to be pigeonholed and using burp suite forever because i think it may be like

the next few years they'll be hopefully some good alternatives to burp suite where we don't have to use it a ton anymore along with just not having to deal with the sdk it's not super user friendly and doing some things that you think would be super easier does not and then also just kind of along that line I think there should be there's more of these type of tools like for example there was just a tool that did like fancy like find in replaces you know partisan response swap some data in like did something like that that would be super handy and there's really not a lot of tooling that helps automate the process in the smart way so there's like a lot

of things that are just magic where you like you press a button it will scan it'll find the vulnerability is great for your vulnerabilities but as as soon as you're passed anything passed like a simple web application that has things that you're gonna want to like tweak and like be smart about and be like okay I see this thing I'm always gonna replace this or oh I want to like parse the response or maybe spider a website or like graph out what the web UI looks like some along those lines then there's not really anything like that that's particularly good all of the web app security tool is kind of suck I think there's a lot of room for improvements

and hopefully maybe next year somebody will have like Auto repeater but better like plus plus or something or some other suite plugin that makes my job easier you can find out a repeater on the github it's open source if you find bugs open issues I've been pretty responsive about them so far and then also it's on the B app store within burp suite it just got updated like a week ago so it should have all of the features like in all the bug fixes and whatnot in there does anybody have any questions so I can so if you want to use this to do a bunch of do a bunch of replacements so let's just go back to I

accidentally closed out the tab but where's your Peter I moved it so okay so for the sake of imagining let's assume that like I don't know what yeah this one this one looks important right so let's assume like this edit this cookie right here is the like authors it's he's wrong so we'll copy that we'll go the auto repeater and then assuming there's nothing else in there that'll break it so this is like kind of the simplest case like no fancy c-cert mitigations nothing like timestamp that's breaking things none of that assume maybe it's just like an API that's just like you're interacting with so I just use the request string for a lot of things there's fancier like you

can do parameters that headers that kind of thing strings work for everything and they're not broken they're like 100% great they cover everything they always work so I just use those that's something I learned like afterwards just if you're building this kind of tool just do a string replacements nothing fancy and then I don't know like user 1 2 3 so you have like make sure this is copy so like user 1 2 3 so this is like some other authorization cookie and then you just do a replacement for the same thing but you just type in like 4 or 5 6 and then and I think I missed up that second one you yeah so it should just request string so

you click that so then you have those all set up and then just make sure they're checked on the side and then from inside repeater or like I said it doesn't have to be a repeater it'll just work your proxy as you're browsing a website so I'll send the request it's good it's cooking now to repeater blinked and you can see that now it's generated those three requests so you can go and you'll see that it replaced that one cookie for that one value for the other value and then for the other value so if you wanted to separate this out and then like imagine like you have like a static sea surf token that you

want to replace where all of those you just open new tabs so you just have like a new tab and then in the base replacement of one tab you'd be like replace the sea surf Koken and then also in the regular replacement you just left with plus the value or you just put them bolt in the base replacement so you can kind of mix and match what you need to replace to make the request work as long as it's any other questions yeah so sorry you're like right on your life oh yeah yeah so I think one user role per tab makes sense in some spots I think for like the spot I just did where like

you don't have change anything else you can just like do like one cookie replacement and have a wreath on the request that's probably good enough for that but you can have like basically any number of tabs they all just work separately it takes a little bit of time to process like it is multi-threaded and stuff so it's not terrible but you could really whatever you like some people are really particular about having things set up by tabs that's why I have renamed what I was I had one co-worker who is really particular about being able to rename the tabs for what he was testing so I was like ok I can fill that in and

then also one thing I have to note is like this is cash so first clip door closes all your settings will stay on your place for today but yeah you know you set it up really however you want a pretty general purpose it's pretty flexible however you whatever works for you works good yeah so yeah so as far as I can tell it shouldn't have any serious performance impacts unless it's unless that there unless there's some like either like crazy number of requests going through like it's like has to be reasonable right like every time you go through a request like it feels like 500 replacements and you're going through and there's like a million requests

coming out of your browser like it'll probably slow down a little bit but all of the requests ending is done in separate threads so I guess it kind of depends like uber plug-ins are weird in the way that like you get a lot of flexibility of how you build it but burp is still there as like the main application context so like I don't know what it does as far as like how it's using threads and how other things are interacting with it so far I haven't had any problems with performance one thing to note is it only does replacements when burp sees response from the browser there's just some design decisions where like report outgoing requests don't like

there's not a good way to tag them to the responses coming back so the only clean way to do that was to just have Auto repeater work when it sees a response it'll check the original request and do the replacements so if you have like some like crazy latency going on we're like so before it took like five seconds for Google to respond then that takes five seconds before you even want to repeat your sees it and but yeah this morning I'm pretty well for me so far haven't I meet you like that yeah so it doesn't save within projects right now so instead he uses like old-school style bridge sweet like temp files not

the project files but somebody recently brought that up to me and I think it's a pretty easy fix so it should just like it should definitely use project files instead of the regular come storage as far as I can tell purpose deprecated the file storage yeah it's used yeah like the state file I don't know if you like crashes you go to open it's like oh we found two dozen temporary file do you want to keep those or not Auto repeaters would be in those temporary files but the way it is it's just I'm using like I use a the JSON to serialize all the data so it's super ice it doesn't really matter I could use

these projects super easily but that's something I should do I should open an issue an address line any other questions good feature request yeah yeah I'm not sure how like I should look at how they do the delineation of like why things are colored and why things are not I know you can like set regular expressions to be like this thing filled the auth check but I kind of wanted to not do any like complicated preset up but it'll also do it automatically like you don't have to send anything up and it'll just do the checking for you and I don't know if that's just for like if it sees like a four hundred or something or

some kind of like obvious failure but yeah i think i think colors would be good I'm super into colors I like things being colorful so yeah I'll stew on that more I think that's something that would make sense to have good [Applause]