Professional

Custom action worked example

  • Last updated: July 17, 2025

  • Read time: 2 Minutes

Custom actions are scripts that run directly in Burp Repeater to automate tasks and extract information during manual testing.

In the worked example below, we'll use Java to write a custom action that extracts a CSRF token from the response body, modifies it, then logs the modified CSRF token.

In this example, our custom action script is:

var resp = requestResponse.response().bodyToString(); if (resp.contains("csrf=")){ var csrfIndex = resp.lastIndexOf("csrf=")+5; var csrf = resp.substring(csrfIndex, csrfIndex+16); csrf = csrf.replace("a", "b").replace("c", "d"); logging.logToOutput(csrf); } else{ logging.logToOutput("No CSRF token"); }

Step 1: Get the response body

var response = requestResponse.response().bodyToString();

This retrieves the body of the HTTP response and stores it as a string in the response variable.

Breakdown of the code:

  • requestResponse represents the request/response pair the action is applied to.

  • response().bodyToString() gets the response object and converts the body to a string.

Step 2: Check the response body for the CSRF token

if (response.contains("csrf=")) {

This checks whether the response body object contains the string csrf=. If the string is found, the statement returns true.

Step 3: Extract and process the token

var csrfIndex = response.lastIndexOf("csrf=") + 5; var csrf = response.substring(csrfIndex, csrfIndex + 16); csrf = csrf.replace("a", "b").replace("c", "d");

This runs if the response body contains the string csrf=. It finds the last occurrence of csrf=, extracts the 16-character token that follows, and modifies it by replacing certain characters.

Breakdown of the code:

  • lastIndexOf("csrf=") returns the index of the last occurrence of csrf= in the response.

  • +5 moves the index to the start of the actual token, just after csrf=.

  • response.substring(csrfIndex, csrfIndex + 16) extracts the 16 characters of the token from the response, starting at csrfIndex and ending at csrfIndex + 16.

  • replace("a", "b").replace("c", "d") replaces characters a with b, and c with d in the extracted CSRF token.

Step 4: Log the result

logging.logToOutput(csrf);

This logs the modified CSRF token to the Output panel in the Custom actions side panel.

Step 5: Handle the situation where no token is found

else{ logging.logToOutput("No CSRF token"); }

If the csrf= string isn't found in Step 2, this logs the message No CSRF token.

Related pages