Magic Variables

Magic Variables is a Burp Suite extension that enables automated substitution of placeholders in HTTP traffic with dynamic, static, or predefined values. This helps penetration testers track data flow, generate unique payloads per request, and simplify complex injection scenarios without manual intervention.

Features

• Replace user-defined placeholders in requests with corresponding values.
• Define Static Variables for simple, fixed string substitutions.
• Use Dynamic Variables to extract values from responses and inject them into future requests.
• Access a wide set of Built-in Variables for generating:
  • Random integers, UUIDs, and strings
  • Timestamp values
  • Payloads for XSS, SSTI, and XXE testing
  • Collaborator-based OOB payloads
• Scope-aware: only operates on in-scope requests.
• Customizable variable marker syntax to avoid conflicts with target applications.

Usage

Note: Traffic must be in scope for replacement to apply.

1. Open the Magic Variables tab to define static and dynamic variables.
2. Static variables require a name and replacement value. Use the pattern __VARNAME__ in requests.
3. Dynamic variables require a regex pattern to extract values from responses and a target pattern for where to substitute them in future requests.
4. Built-in variables can be used without definition; insert them directly into requests using __BUILTINVARNAME__.
5. Use NE variants (e.g. __NEUUID__) to generate fresh values on every request.

Examples

• Static Variable: Define XSS1 with value <svg/onload=alert(1)>. Using __XSS1__ in a request inserts the payload.
• Dynamic Variable: Extract sessionid from a response using regex sessionid='([^']+)' and inject it into paths matching /session/([a-f0-9]+)/profile.
• Built-in Variable: Add __UUID__ to generate a static UUID, or __NEUUID__ for a new UUID on each request.
• OOB Testing: Use __OOB__ in requests to automatically include a Burp Collaborator payload.
• Polyglot XSS: Insert __XSSPG__ to test a wide range of XSS contexts.