Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All
Documentation

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite
Extensibility

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility
Support Center BApp Store Replicator

Replicator

Replicator helps developers to reproduce issues discovered by pen testers. The pen tester produces a Replicator file which contains the findings in the report. Each finding includes a request, associated session rules or macros, and logic to detect presence of the vulnerability. The tester sends the Replicator file to the client alongside the report. Developers can then open the file within Burp and replicate the issues. When vulnerabilities have been fixed, Replicator provides confirmation that the attack vector used in the pen test is now blocked. A retest is still recommended, in case alternative attack vectors remain exploitable.

Developer workflow

Video tutorial

  1. Load the Replicator file.
  2. If you want to test a different application instance (perhaps a development instance) edit the Hosts section to point to the instance.
  3. Click Test all. All the vulnerabilities should get status Vulnerable. If any do not, you need to investigate why. You can use the Start Trace button to generate a trace file that may help the pen tester diagnose the issue.
  4. Save the file. This is important for confirming fixes later.
  5. Identify an issue to work on. Consult the pen test report for a full description.
  6. When the application has been updated, click Test to see if it's still vulnerable.

Issues can have the following status:

  • Vulnerable - The application is still vulnerable.
  • Resolved (tentative) - The vulnerability appears to be resolved. Replicator cannot confirm this with certainty; a retest is required for that.
  • Unable to replicate - It wasn't possible to determine if the application is vulnerable. This may be because credentials are invalid. Some fixes (e.g. removing the whole page) can cause this.

Tester workflow

Video tutorial

  1. Put Replicator in Tester mode using the menu.
  2. It is recommended to add issues to Replicator when they are discovered. This will assist with report writing.
    1. Issues detected by Scanner can be sent to Replicator, using the context menu.
    2. Other issues can be sent from the relevant tool to Replicator. You need to complete the issue details, including grep expression.
    3. If any issues require a login session, you must create a login macro, and select this in Replicator.
    4. If an issue is more complex than a single request/response, use macros and session handling rules. Replicator will automatically detect rules and macros that apply to a request and include them in the Replicator file.
  3. When the report is complete, verify the Replicator file, to ensure it will work in a fresh environment where current tokens are no longer valid:
    1. Select all issues, and click Scrub cookies... Remove any session cookies from the requests.
    2. Click Empty cookie jar
    3. Select all the issues and click Clear status
    4. Click Test all and verify that all issues report as vulnerable.
  4. If some particular Burp configuration is needed, use the Config... button to include this in the Replicator file. On the Configuration dialog you may want to use the Import... button to assist you.
  5. Clear the status before sending the file. Select all the issues, click Clear status, and save the file.
  6. Send the Replicator file to the client, using the same delivery mechanism as the report.
Author Paul Johnston, PortSwigger
Version 1.0.1
Rating
Popularity
Last updated 15 February 2018

You can install BApps directly within Burp, via the BApp Store feature in the Burp Extender tool. You can also download them from here, for offline installation into Burp.

Download BApp View Source Code

Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.

Go back to BappStore