Swapper

Swapper automates the match and replace of tokens, CSRF values, and authentication headers across Burp Suite tools. It periodically fetches a fresh value from a configurable endpoint, extracts it using a response regex, and substitutes it into matching outbound requests, keeping authentication state in sync without manual intervention. Both XML and JSON response formats are supported.

Features

• Automatically refreshes tokens on a configurable interval (default 4 minutes) or on a per-request basis for strict single-use token scenarios
• Supports multiple simultaneous regex pairs, allowing several tokens or values to be extracted and replaced in a single pass
• Handles both XML and JSON response formats, covering use cases from SOAP and SAML to OAuth 2.0, REST, and GraphQL
• Selectively applies replacements to chosen tools: Scanner, Repeater, Intruder, Target, Sequencer, and Extender
• Right-click context menu integration lets you send any request directly to Swapper to pre-populate the token endpoint configuration
• Built-in regex testing: verify response extraction and request pattern matching before enabling the extension

Usage

1. In Proxy history or Target, right-click the request that issues the token and select "Send to Swapper" to populate the endpoint configuration (host, port, headers, and body).
2. In the "Regex Configuration" section, enter a response regex to extract the token from the endpoint response, a request regex to match the value to replace in outbound requests, and a replacement template using {token} as a placeholder for the extracted value. Add further regex pairs as needed.
3. Click "Test Token Request" to confirm the response regex matches, then right-click a request in history and select "Test Request Regex" to verify the request pattern. Results appear in the Status box.
4. Select the tools Swapper should intercept, configure the refresh interval or enable per-request mode, then click "Enable Extension" and save the configuration.