top of page

There's a BApp for that: Stepper

Updated: Jul 25, 2022

Stepper is designed to be a natural evolution of Burp Suite's Repeater tool, providing the ability to create sequences of steps and define regular expressions to extract values from responses which can then be used in subsequent steps. In a later blog, I will show how to use Stepper to help automate “second-order” attacks.

Zachary Stashis


  1. Installation

  2. Usage

  3. Refresh Token if it expires

  4. Variables

  5. Regular Expression Variables

  6. Variable Usage

  7. Features

(1) Installation

Extender > BApp Store > Stepper > Select "Install"

(2) Usage

For the following example, the tester is testing several API's that require a 1-step login process. To make testing work as easily as possible the tester utilized Stepper (from the BApp store) to make authenticating easy and as painless as possible.

Find the request you would like to use in your stepper automation. Right click > Extensions > Stepper > Add 1 item to Stepper > select "New Sequence"

Name the Sequence:

This should repeat the request now showing you a response as well.

In the “Post-Execution Variables” select "Add Variable," which will create a global Identifier you can use pretty much anywhere you need to in Burp.

Name the Variable:

Next, double click the "Regex" field next to the Identifier and then enter in the regex to grab what you need from the response, once you deselect the field, your token should appear in the "Value" column (showing you that your regex was successful at identifying the value). For help with creating regex, please follow the blog "There's a BApp for that: Extractor".

Now you can use the global identifier (this is useful when some applications have a short window of time the token will stay active) anywhere in burp (or proxied through burp) using $VAR:SEQUENCE_NAME:VARIABLE_IDENTIFIER$ (example, $VAR:Create_Bearer:BearerToken$)

(3) Refresh Token if it expires

Select “Execute Step” to refresh the token at any time.

Or “Execute Sequence” if there is more than one to log in using the button at the bottom of the panel.

Now everywhere that global token is called will now be updated with the new Authorization Token.

(4) Variables

Variables can be defined for use within a sequence. Variables consist of an identifier and a regular expression, or in the case of initial variables defined in the Global tab, an identifier, and value. Step variables, defined with a regular expression, have their values set from the response of the step in which they are defined. The variable is then available for use within the request of subsequent steps after their definition. However, Global variables, defined with a literal initial value, can be used throughout the sequence.

Both step and global variables may be updated in later steps after their definition.

(5) Regular Expression Variables:

Variables which are defined with a regular expression are updated each time the step in which they are defined is executed. The regular expression is executed on the response received, with the first match being used as the new value. If the defined regular expression has no groups defined, the whole match will be used. If the regular expression defines capture groups, the first group will be used. If groups are required but should not be used as the value, a non-capturing group may be used. e.g. (?:REGEX)

(6) Variable Usage:

To use a variable in a request after it has been defined, either use the option in the context menu to copy the parameter to the clipboard, or manually insert it by including it as below:

Burp Repeater:

Original Request (without stepper variables):

Delete the tokens and insert the Global Variable:

Use the “Stepper Replacements” view option in repeater to confirm the variables worked correctly. Resulting in the proper token insertion.

Burp Intruder:

Refresh Token Before Every Request:

Adding the Header “X-Stepper-Execute-Before:SEQUENCE_NAME” to the request will cause stepper to re-authenticate before EVERY request to insure the token is always valid.

(7) Features

  • Automate multiple-step processes such as logging into an application for testing where normal macro's or extended macro's do not work

  • Create global variables from the resulting steps output that can be called into any other part of Burp, including Intruder, Repeater, Sequencer, Proxy, Spider, Scanner, and


151 views0 comments

Recent Posts

See All
bottom of page