How To Write Burp Suite Match and Replace Rules

How To Write Burp Suite Match and Replace Rules

Burp Suite’s Match and Replace rules allow you to change parts of a request and a response — which can be a significant help when testing web applications. In this post, I’ll show you how to create them, so that you’ll know how your web applications will react under various conditions.

The reason that I’m writing this post is because of a question on an earlier post about intercepting requests and modifying responses with Burp Suite. The person wrote:

Your article is very good. I need your help regarding changing whole content in response body in burp there is “match and replace” tab in burp proxy options. Inside it is function called “response body”. So how to configure that? Let’s take an example. the site is http–time,akamai,com and it shows current time. So how to configure that “response body” option to show fake time (eg. 00000000) when i request that akamai url. And also how to make it happen “response body” replace should work only on akamai site, not all other site.

Reading it, I thought it through and realised that I’ve not yet learned that aspect of Burp Suite, so I wasn’t sure how to answer them. However, that’s as good a reason as any to learn; right?

And after a little bit of digging and experimentation, I found out how. After doing so, it seemed to make more sense to write up a blog post covering how that particular bit of functionality works than answering directly in the comments. There’s more opportunity to dive deeper and to add supporting images and other content than you can with a Disqus comment.

What are Match and Replace Rules?

Match and Replace, as the name implies, provide the ability to find (or match) and replace certain parts of requests and responses, as they pass through Burp Suite’s proxy. Currently, you can match and replace the following:

  • Request: body, header, param name, param value, and first line
  • Response: body and header

At first glance, that might not seem too compelling. However, the match can be performed using static strings, or regular expressions. As a result, depending on your regular expression prowess, you can make some pretty fancy changes.

Want to Learn More About Mezzio?

Mezzio Essentials teaches you the fundamentals of PHP's Mezzio framework — the fundamentals that you need — to begin building get paid for applications with the Mezzio framework right away. It’s a practical, hands-on approach, which shows you just enough of about the underlying principles and concepts before stepping you through the process of creating an application.

Why Would You Want to Match and Replace Requests and Responses?

There are all kinds of reasons why you might want to replace certain parts of a request or a response. The main one, however, is seeing how the application responds when input changes unexpectedly. For example:

  • Does an integrating client respond as expected when an HTTP 200 response code is returned, but there’s no response body?
  • Does an integrating client handle a malformed response payload?
  • Does your app handle a malformed request?
  • Does your app correctly sanitise request parameters?

There are loads more things that you can think of, I’m sure. However, these make for a good start.

What Should We Match and Replace with Burp Suite?

Let’s assume a fictional scene. Say you want to do something trivial, like replacing (or removing) the X-Powered-By header. Why? Well, this is a trivial introductory example, so you don’t need a big “why”.

However, one is to automatically change the X-Powered-By header to something like X-Powered-By: MyWeb, JSP/2.2. That way, you could simulate a different web technology. Alternatively, you could change the HTTP response code, to see how an API client might interact. I’ll leave the brainstorming up to you.

So, let’s push ahead and change the X-Powered-By header. Click the “Proxy” tab, then click the “Options” tab. About halfway down the page, you’ll find the “Match and Replace” settings.

Burp Suite’s Match and Replace Rule Configuration window

By default, Burp Suite comes with 12 pre-defined, yet disabled, rules, which can change the request and response headers. They’re an excellent starting point for learning how to create rules.

Edit Burp Suite’s Match and Replace Rules

To create a new rule, as none of the pre-defined ones does what we need, click “Add”, and you’ll see the new rule dialogue appear. Click the “Type” drop-down and click “Response header”.

Then, add ^X-Powered-By.*$ as the “Match” criteria. This string is a regular expression that matches on any header string that starts with X-Powered-By. As there should be only one, if any, then a simple match is all we need.

Next, set the “Replace” text as X-Powered-By: MyWeb, JSP/2.2. Then, set the “Comment” text to be Replace the X-Powered-By header. And finally, check the “Regex match” checkbox, and click “OK”.

Now, we have a new rule ready to go. After that, make sure you have some Proxy rules ready to go, so that you can intercept requests to a site that you know has an X-Powered-By header.

Then, make a request to the site and tell Burp Suite to intercept the response when you forward the request through Burp’s proxy. When the response is intercepted, you’ll see in “Raw” response, that the X-Powered-By header’s been replaced on the fly for you, as in the image below.

Replacing a response header in Burp Suite


And that’s how to automatically match and replace certain aspects of requests and responses, using Burp Suite. It’s a pretty handy tool for automating modifications, alleviating the need to do it manually each time. Have an experiment, and see what kinds of ideas and use cases you come up with for your testing needs.

As I’m still pretty new to using this aspect of Burp Suite’s functionality, I’d love to hear your experiences in the comments.

You might also be interested in these tutorials too...

My Health Record - Do the Risks Outweigh the Advantages?
Tue, Jul 24, 2018

My Health Record - Do the Risks Outweigh the Advantages?

A new health record management system is going live in Australia soon. It’s called My Health Record. It will affect every Australian (and potentially temporary and permanent residents as well) as it will store some of their most intimate information — their health records! But do the risks of such a system outweigh the advantages?

Google Chrome 69 Now Flags HTTP Websites
Mon, Sep 10, 2018

Google Chrome 69 Now Flags HTTP Websites

Earlier today, I upgraded my installation of Google Chrome from version 68 to version 69. While not a major upgrade, there’s a key security update that I want to draw your attention to. Here’s a quick look at it.

Use these Five Security Headers To Create More Secure Applications
Tue, Jun 26, 2018

Use these Five Security Headers To Create More Secure Applications

There are so many things that we have to get right to creating secure applications. From input validation to output escaping, secure applications take time, effort, and dedication. However, there one thing that doesn’t take much effort, but offers a quick win. Response headers!

Want more tutorials like this?

If so, enter your email address in the field below and click subscribe.

You can unsubscribe at any time by clicking the link in the footer of the emails you'll receive. Here's my privacy policy, if you'd like to know more. I use Mailchimp to send emails. You can learn more about their privacy practices here.

Join the discussion

comments powered by Disqus