Burp Suite, the leading toolkit for web application security testing

Options: Macro Editor

The macro editor lets you configure all the details of a macro.

Record Macro

Macros are recorded using your browser, which must be configured to use the current instance of Burp as its proxy server.

When recording a macro, Burp displays a view of the Proxy history, from which you can select the requests to be used for the macro. You can select from previously made requests, or record the macro afresh and select the new items from the history. Note that to record a new macro using your browser you will need to turn off Proxy interception.

When you have selected the items you wish to include in the macro, click "OK", and the items are shown in the macro editor.

Configuring Macro Items

The macro editor displays the list of items in the macro. You can modify these by changing the order, removing items, or re-recording the macro. You can modify any individual request by selecting it in the list, and editing it directly in in the request viewer.

As well as the basic sequence of requests, each macro includes some important configuration about how items in the sequence should be handled, and any interdependencies between items. To edit the configuration of a macro item, select it in the list and click the "Configure item" button.

Cookie Handling

You can configure:

Parameter Handling

For each parameter in the request, you can configure whether it should be assigned a fixed preset value, or a value derived from a previous response in the macro.

The ability to derive a request parameter's value from a previous response in the macro is particularly useful in some multi-stage processes, and in situations where applications make aggressive use of CSRF tokens. Parameter derivation is based on the parameter name, and the URL being requested. If you specify that a parameter's value should be derived from a previous response, Burp will examine that response for any source of the named parameter being submitted to the relevant URL (for example, a form using the given action URL, and containing a field with the given name). If found, Burp will extract the parameter's value from that response, and update it in the request being processed.

When a new macro is defined, Burp tries to automatically find any relationships of this kind, by identifying parameters whose values can be determined from the preceding response (form field values, redirection targets, query strings in links, etc.). You can manually override the automatic analysis as required.

Custom Parameter Locations In Response

Burp's matching of parameters between macro items works automatically for known "normal" parameter locations within responses, such as form field values, and query strings in links. In some cases, you need more flexibility than this, and the ability to specify an arbitrary location within a response as containing a parameter. For example, an application might define a CSRF token within a JavaScript string, and dynamically add this to a script-generated request. To create a macro capable of deriving this parameter, you will need to tell Burp the location of the parameter within the response containing the script, and the name used for that parameter in subsequent requests.

Use the "Define custom parameter" dialog to specify the name of the custom parameter, its location within the response item being configured, and whether the value extracted from the response is URL-encoded. This is done using the response extraction rule dialog. When this has been done, the named parameter will be available for use in subsequent macro requests (or the request being processed by a session handling rule) in the normal way as described in Parameter Handling.

It is important to configure whether the value extracted from the response is URL-encoded. This ensures that Burp can correctly encode the value when it is used in subsequent requests, reflecting whether the context into which it is being placed needs to be URL-encoded.

Re-Analyze Macro

When a new macro is defined, Burp tries to automatically find any relationships between macro items, by identifying parameters whose values can be determined from the preceding response. If you have manually modified the items in the macro, you can repeat the automatic analysis using the "Re-analyze macro" button.

Test Macro

When you have configured a macro, including any derivations of request parameters from earlier responses, you can use the "Test macro" feature to verify that the configuration is working as intended. This will issue the macro requests in sequence, and attempt to derive any parameter values according to your configuration. Burp will display all requests and responses, the values of any cookies received, and the details of any parameters whose values it succeeded or failed to derive.


Support Center

Get help and join the community discussions at the Burp Suite Support Center.

Visit the Support Center ›

Monday, January 16, 2017


This release adds various enhancements and fixes:

  • There is a new command-line option to launch Burp with a specified user configuration file.
  • A bug that was recently introduced that prevented license activation in headless mode has been fixed.
  • The Content Discovery function now correctly handles applications that have wildcard behavior for file extensions (e.g. those that return a specific response for admin.xxx regardless of the file extension). This eliminates the only known false positives reported by the new Content Discovery engine.

See all release notes ›

Copyright © 2016 PortSwigger Ltd. All rights reserved.