Professional Community
Stepper chains multi-step HTTP request sequences with automatic variable extraction, session management, and conditional logic. Define a login or token-refresh flow once, extract values from responses with regular expressions, and have the sequence replay transparently whenever Repeater, Intruder, or Scanner needs a fresh session. It can replace the combination of session handling rules and macros for many workflows.
$VAR:name$ syntax.$VAR:Sequence:name$ and have its sequence run automatically, keeping sessions valid
during scans without manual intervention.$GVAR:name$) for credentials and constants, and
dynamic global variables ($DVAR:name$) that update automatically from responses
across all tools."token":"(.*?)" with the identifier jwt), or highlight
text in a response and use Auto Regex.$VAR:jwt$; they are substituted at
execution time.$VAR:Sequence:jwt$ from Repeater, Intruder, or Scanner; optionally mark a step as the
pre-validation step so a valid session skips the rest of the flow.|
Author |
Author
Xre0uS, CoreyD97 |
|---|---|
|
Version |
Version
2.3.4 |
|
Rating |
Rating |
|
Popularity |
Popularity |
|
Last updated |
Last updated
30 June 2026 |
|
Estimated system impact |
Estimated system impact
Overall impact: Medium
Memory
Low
CPU
Medium
General
Low
Scanner
Low
|
You can install BApps directly within Burp, via the BApp Store feature in the Burp Extender tool. You can also download them from here, for offline installation into Burp.
|
|
You can view the source code for all BApp Store extensions on our GitHub page. |
|
|
Follow @BApp_Store on Twitter to receive notifications of all BApp releases and updates. |
Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.
Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.