Professional

InsertionPoint Injector

Burp InsertionPoint Injector is a BurpSuite extension that allows pentesters to define targets within non-standard locations such as encoded regions or serialized data. For instance, potential payload insertion points within encoded cookies that would not normally be targeted by the scanner can be identified and targeted, improving scan coverage.

Features

Burp InsertionPoint Injector registers itself as a scan insertion point provider using the BurpSuite API. Consequently, the scanner will present requests to Burp Injector to determine if there are any available insertion points. The extension then matches the request with any rules defined by the tester and provides insertion points to the scanner, facilitating payload insertions.

The extension provides three targeting methods:

  • Auto: Targets using pre-canned regexes that match JSON, XML, and key-value pairs.
  • Custom Auto: Pentesters can create a custom regex similar to auto target. While a name and value capture group can be provided, the extension will supply a name if one isn't provided.
  • Regex: Allows targeting specific areas where one single regex is not ideal.

Usage

Burp Injector uses Python to handle encoded, serialized, encrypted, or signed target regions. There are three types of scripts you can provide via Burp Injector:

  • Decode Script: Decodes the target region where the targets exist.
  • Encode Script: Re-encodes the target region after a payload is inserted.
  • Payload processing script: Processes a payload prior to insertion.

Heres an example script to Base64 decode and encode a target region:

# decoder script used to decode a region of text from a targeting rule
import base64
def decode_target( target: str ) -> str:
    decoded_target = base64.b64decode(target.encode("utf-8")).decode("utf-8")
    return decoded_target
    

# encoder script used to encode a region of text from a targeting rule after the alteration has been injected
import base64
def encode_target( target: str ) -> str:
    encoded_target = base64.b64encode(target.encode("utf-8")).decode("utf-8")
    return encoded_target

To create an injection rule, simply navigate to the target site, sign in, locate the appropriate request, send it to the injector, create a rule, specify the regex, enable the rule, and run the scanner.

Author

Author

softwaresecured

Version

Version

1.0.5

Rating

Rating

Popularity

Popularity

Last updated

Last updated

21 August 2025

Estimated system impact

Estimated system impact

Overall impact: Empty

Memory
Empty
CPU
Empty
General
Empty
Scanner
Empty

You can install BApps directly within Burp, via the BApp Store feature in the Burp Extender tool. You can also download them from here, for offline installation into Burp.

You can view the source code for all BApp Store extensions on our GitHub page.

Follow @BApp_Store on Twitter to receive notifications of all BApp releases and updates.

Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.

Go back to BappStore

Note:

Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.