Response Pattern Matcher
Adds extensibility to Burp by using a list of payloads to pattern match on HTTP responses highlighting interesting and potentially vulnerable areas. Can be used to search HTML source code for interesting keywords, developer comments, passwords, admin panel links, hidden form fields, and more.
- When the extension is loaded in you will see a Response Pattern Matcher tab, by default pre-existing payloads exist that will be pattern matched against every response that goes through Burp. This includes tools such as the Scanner.
- Configure these payloads accordingly, these are quite generic so for an assessment you may want to add project specific keywords and regular expressions.
- The "is regex" check box indicates whether to search the responses for the provided Pattern using Java's Pattern Matcher functionality
- The "active" check box indicates whether the payload will be searched for in each response. Uncheck this to disable the payload.
- Use the "In Scope Only" checkbox to search only within responses that are in Scope defined under Target > Scope.
- If you want to test the matches against a request or response again you can send the corresponding request to repeater from the HTTP history.
- For best results, define your scope, configure your payloads, and then start testing. Burp's Scanner will kick in and push everything through the Response Pattern Matcher too so the tool searches the full sitemap. In the Matches tab you can highlight identical matches, as well as delete repeated occurrences, or and export them to a .json file.
Note /* cannot be set to be regex, this will most likely crash burp as it matches on everything.
|Last updated||21 January 2021|
You can install BApps directly within Burp, via the BApp Store feature in the Burp Extender tool. You can also download them from here, for offline installation into Burp.
|You can view the source code for this BApp by visiting our GitHub page.|
|Follow @BApp_Store on Twitter to receive notifications of all BApp releases and updates.|
Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.