Replicator helps developers to reproduce issues discovered by pen testers. The pen tester produces a Replicator file
which contains the findings in the report. Each finding includes a request, associated session rules or macros, and
logic to detect presence of the vulnerability. The tester sends the Replicator file to the client alongside the report.
Developers can then open the file within Burp and replicate the issues. When vulnerabilities have been fixed, Replicator
provides confirmation that the attack vector used in the pen test is now blocked. A retest is still recommended, in
case alternative attack vectors remain exploitable.
If you want to test a different application instance (perhaps a development instance) edit the Hosts section to point to the instance.
Click Test all. All the vulnerabilities should get status Vulnerable. If any do not, you need to investigate why. You can use the Start Trace button to generate a trace file that may help the pen tester diagnose the issue.
Save the file. This is important for confirming fixes later.
Identify an issue to work on. Consult the pen test report for a full description.
When the application has been updated, click Test to see if it's still vulnerable.
Issues can have the following status:
Vulnerable - The application is still vulnerable.
Resolved (tentative) - The vulnerability appears to be resolved. Replicator cannot confirm this with certainty; a retest is required for that.
Unable to replicate - It wasn't possible to determine if the application is vulnerable. This may be because credentials are invalid. Some fixes (e.g. removing the whole page) can cause this.
It is recommended to add issues to Replicator when they are discovered. This will assist with report writing.
Issues detected by Scanner can be sent to Replicator, using the context menu.
Other issues can be sent from the relevant tool to Replicator. You need to complete the issue details, including grep expression.
If any issues require a login session, you must create a login macro, and select this in Replicator.
If an issue is more complex than a single request/response, use macros and session handling rules. Replicator will automatically detect rules and macros that apply to a request and include them in the Replicator file.
When the report is complete, verify the Replicator file, to ensure it will work in a fresh environment where current tokens are no longer valid:
Select all issues, and click Scrub cookies... Remove any session cookies from the requests.
Click Empty cookie jar
Select all the issues and click Clear status
Click Test all and verify that all issues report as vulnerable.
If some particular Burp configuration is needed, use the Config... button to include this in the Replicator file. On the Configuration dialog you may want to use the Import... button to assist you.
Clear the status before sending the file. Select all the issues, click Clear status, and save the file.
Send the Replicator file to the client, using the same delivery mechanism as the report.
Paul Johnston, PortSwigger
15 February 2018
You can install BApps directly within Burp, via the BApp Store feature in the Burp Extender tool. You can also download them from here, for offline installation into Burp.
You can view the source code for this BApp by visiting our GitHub page.
Follow @BApp_Store on Twitter to receive notifications of all BApp releases and updates.