/Response-Pattern-Matcher

Adds extensibility to Burp by using a list of payloads to pattern match on HTTP responses highlighting interesting and potentially vulnerable areas.

Primary LanguageJava

Response Pattern Matcher

Adds extensibility to Burp by using a list of payloads to pattern match on HTTP responses highlighting interesting and potentially vulnerable areas. Can be used to search HTML source code for interesting keywords, developer comments, passwords, admin panel links, hidden form fields, and more.

Usage

The .jar file is available in the /releases directory, this can be loaded in through Burp Extender.

  1. When the extension is loaded in you will see a Response Pattern Matcher tab, by default pre-existing payloads exist that will be pattern matched against every response that goes through Burp. This includes tools such as the Scanner.
  2. Configure these payloads accordingly, these are quite generic so for an assessment you may want to add project specific keywords and regular expressions.
  3. The is regex check box indicates whether to search the responses for the provided Pattern using Java's Pattern Matcher functionality. A good example is available below.
  4. The active check box indicates whether the payload will be used. Uncheck this to disable the payload.
  5. Use the "In Scope Only" checkbox to search only within responses that are in Scope defined under Target > Scope.
  6. Use the config tab to choose whether to match on Requests and or Responses. Matches against either of these are available under the Matches tab.
  7. For best results, define your scope, configure your payloads, and then start testing. Burp's Scanner will kick in and push everything through the Response Pattern Matcher too so the tool searches the full sitemap.
  8. If you want to test the matches against a request or response again you can send the item to repeater from the HTTP history in Burp.
  9. Note /* cannot be set to be regex, this will most likely crash burp as it matches on everything.

Java regex tutorial

Matches

As of v2.0 additional functionality has been added to organise matches.
If you highlight items in the Matches tab you can highlight identical matches, as well as delete and export them to a .json file.

Requirements

Built using:

  • Oracle OpenJDK 17.0.8
  • burp-extender-api (2.3)
  • Tested on Burp Community Edition 2023.7.1

Acknowledgements

Author: Jack Jarvis, Bridewell
Developed using IntelliJ IDE and the Gradle Build Tool.

CoreyD97 Burp Extender Utilities:
https://github.com/CoreyD97/BurpExtenderUtilities

For further Burp Extension development please refer to:
https://portswigger.net/burp/documentation/desktop/extensions