Most people are unaware that there are many very useful “off market” burp BApps, the tool I am focusing on in this blog is the first “off market” BApp of many I will do a write-up on. I use this tool as a quick’n’dirty way of throwing together regular expressions (regex). I hate writing regex but end up using it every day, so this tool has become a lifesaver for me personally.
Burp Extractor is intended to be used as a one-size-fits-all tool for extracting data from HTTP responses to be reused in HTTP requests. These can be items such as CSRF tokens, Auth Bearer tokens, timestamps, etc. The extension uses regex to extract needed data from responses and will insert extracted data into any HTTP request sent through Burp which matches a second regex.
Zachary Stashis
Contents:
(1) Installation
To install this BApp is a little different since it’s not through the “BApp Store”.
First download the latest jar file from the releases page: https://github.com/NetSPI/BurpExtractor/releases
In burp, navigate to Extender > Extensions > Burp Extensions > Select “Add”
Confirm the Extension type: is “Java” and then select “Select file …”
Open the “Burp_Extractor.jar” file
Select “Next”
You should now see an “Extractor” tab:
(2) Usage
Find the request you would like to pull something out of using regex. Right click on the Request, select Extensions > Extractor > Send to Extractor.
Navigate to the “Extractor” tab in Burp.
Highlight the request and response by selecting them. Then select “Go”.
This should open a new Tab in the Extractor menu (if it is your first one it will be labeled “1”). The next screenshot is what you should see (before you select any text):
Select the text you want Extractor to create regex for (in my example I am using the Authentication Token):
Now you have regex created for before and after the selection.
(3) Use Case with “Stepper”:
If you are unfamiliar with Stepper please visit my previous blog: There's a BApp for that: Stepper
Some applications need slight tweaking with the regex to work properly.
With stepper you need to indicate the information in between the two variables using:
(.*?)
Before Regex:
ion"\:\{"token"\:"
After Regex:
"\,"bid"\:27\,"uma
Putting it together:
Before Regex + inclusive variable + After Regex
ion"\:\{"token"\:" + (.*?) + "\,"bid"\:27\,"uma
it looks like this:
ion"\:\{"token"\:"(.*?)"\,"bid"\:27\,"uma
BUT as you can see in the screen shot below, it doesn’t work!
With Stepper I noticed if I used the whole regex it would break but if I trimmed it down...
from:
ion"\:\{"token"\:"(.*?)"\,"bid"\:27\,"uma
to:
token"\:"(.*?)"\,"bid
It works!
