nccgroup / autorepeater Goto Github PK

Hi,

There is a bug in the UI in tab logs >>> log filter.
After adding multiple conditions, its not possible to see them and must to copy it to notepad in order to see all conditions.

I may take a swing at this if I am feeling ambitious, but it likely won't be in the next few months so opening an issue in case anyone else wants to.

When using AutoRepeater to hunt for vertical and horizontal privesc it would be really helpful to filter logs based on the response length difference. A response length difference of 0 is a strong indication that two different requests received identical responses and that a VPE/HPE bug may be present.

Currently information about status codes and response lengths is shown. Timing information could also be useful when using AutoRepeater for certain types of testing (original response time, new response time, response time diff).

Hello,

I Noticed that burp freezes for certain time(approx ~2min) on "Clear Logs" on latest clone.
Tested on Windows. with just 2 requests in AutoRepeater.

When a request contains parameters that are not PARAM_URL, PARAM_BODY and PARAM_COOKIE the application cannot correctly replace them.

First off, thanks for making and supporting this tool. It's pretty slick!

I'm currently testing a large multi-role application and it would be really helpful to be able to gain access to the same sort of right-click functionality available in HTTP history (send to, highlight, comment, etc.) in the AutoRepeater log.

It would be really nice if we could easily duplicate a log highlighter record.

I have some of them that come with like 4-5 conditions, and sometimes I need to create a similar highlighter with a small variation, so it would make it easier making new highlighters.

Thanks :)

Me again,
Looks like when I have a bunch of base replacements, but no regular replacements, AutoRepeater doesn't capture requests properly. I've attached two configuration files that show this:

Working:

working.zip

Not Working:

not-working.zip

The scenario I am trying to get working is have an individual tab for each user session. Each tab needed several base replacements so that I could modify their CSRF token in the header and the numerous cookies the application uses to identity the user.

First, great tool! ✨

When i change the content-type from json to xml, the data passed does not change as it says in json. Is it a bug or intended use?

When testing multi-role applications, I need to make the same replacements in each repeater instance. It would save me a bunch of time if I could duplicate a tab and then simply update the values.

Firstly Thank you for the amazing tool, i have a question Please, Assuming i have to replace one Request Header Value, e.g CSRF Header, and Maybe two Cookies Value Request. , when i make the setting is autorepeater, it is actually replacing one at a time, which will not let me get desire result.

Am thinking of a situation where by when the Replacement setting are Set Autorepeater use those setting at once. what i have notice till now is that, Autorepeater usually Replaces CSRF Header Value , only in the First Request and in the Next "Modified Request" it return the Old CRSF Header that was with the original request again, and Replaces one of the Cookies Value, then next it will Replace, the last Cookie Value Set, and keep Original CSRF Header Value, so there will be no way all the Settings are Completely Replace at once ,or together at the same time , in the Modified Request. this make it difficult to get the actually desire result or to know if the test was successful. i don't know if am doing anything wrong. am waiting for your response.

Warm Regards
Dere sewa

There should be a "Replace Each" replacement mode which performs the replacement and sends the request for each instance of a match within a request. This would make is much easier to generate new requests with every string match, cookie, header, param, etc value changed one-at-a-time.

They usage documentation is on the light side. There should be either some sort of video or better instructions for how to effectively use AutoRepeater.

There's useful information that could be displayed in the Log Viewer, but it would be too cramped if everything was added. There should be an option to enable/disable specific columns in the log viewer.

It'd be great if there was an easy way to filter the results. For example, I don't particularly care if a style sheet is accessible to the world. Adding Proxy History-like filtering would be a beautiful thing.

May be it's just not too obvious for me to get the log filter working the way I wanted it to be. An option to turn off the filter is nice to have when we are trying to see if we have configured something wrong and want it to show everything.

Can you please look into handling requests that time out?

This could be done in the same manner Burp's history time displays an empty response tab, and even be flagged. From my testing it seems to be a quite often thing due to WAFs etc.

It will be great to have the "Time Requested" column to better analyze the requests.

As following picture, when i used AutoPrepeater for a while, the Log Filter Frame maybe stuck and Freezes.
I just look some sites and loged about 100-150 items ……
and I used the lastest version AutoRepeater.jar .

Also lead to whole burpsuite stuck

here is configure:

[{
	"isActivated": true,
	"isWhitelistFilter": true,
	"baseReplacements": [{
		"type": "Request String",
		"match": "a",
		"replace": "b",
		"comment": "",
		"which": "Replace First",
		"isRegexMatch": false,
		"isEnabled": true
	},
	{
		"type": "Request Header",
		"match": "User-Agent:.*?",
		"replace": "User-Agent: jalsdjfouaosdf",
		"comment": "",
		"which": "Replace First",
		"isRegexMatch": true,
		"isEnabled": true
	}],
	"replacements": [{
		"type": "Request Header",
		"match": "User-Agent:.*?",
		"replace": "User-Agent: () {:;};ping -nc 1 test.me\"",
		"comment": "",
		"which": "Replace First",
		"isRegexMatch": true,
		"isEnabled": true
	},
	{
		"type": "Request Header",
		"match": "User-Aget:.*?",
		"replace": "User-Agent: testss",
		"comment": "",
		"which": "Replace All",
		"isRegexMatch": true,
		"isEnabled": true
	}],
	"conditions": [{
		"booleanOperator": "",
		"matchType": "Sent From Tool",
		"matchRelationship": "Burp",
		"matchCondition": "",
		"isEnabled": true
	},
	{
		"booleanOperator": "And",
		"matchType": "File Extension",
		"matchRelationship": "Does Not Match",
		"matchCondition": "jpg",
		"isEnabled": true
	},
	{
		"booleanOperator": "And",
		"matchType": "File Extension",
		"matchRelationship": "Does Not Match",
		"matchCondition": "js",
		"isEnabled": true
	},
	{
		"booleanOperator": "And",
		"matchType": "File Extension",
		"matchRelationship": "Does Not Match",
		"matchCondition": "png",
		"isEnabled": true
	},
	{
		"booleanOperator": "And",
		"matchType": "File Extension",
		"matchRelationship": "Does Not Match",
		"matchCondition": "gif",
		"isEnabled": true
	},
	{
		"booleanOperator": "And",
		"matchType": "File Extension",
		"matchRelationship": "Does Not Match",
		"matchCondition": "css",
		"isEnabled": true
	},
	{
		"booleanOperator": "And",
		"matchType": "File Extension",
		"matchRelationship": "Does Not Match",
		"matchCondition": "jpeg",
		"isEnabled": true
	},
	{
		"booleanOperator": "And",
		"matchType": "File Extension",
		"matchRelationship": "Does Not Match",
		"matchCondition": "svg",
		"isEnabled": true
	},
	{
		"booleanOperator": "And",
		"matchType": "File Extension",
		"matchRelationship": "Does Not Match",
		"matchCondition": ".ico",
		"isEnabled": true
	}],
	"filters": [{
		"originalOrModified": "Original",
		"booleanOperator": "",
		"matchType": "Sent From Tool",
		"matchRelationship": "Burp",
		"matchCondition": "",
		"isEnabled": true
	}],
	"highlighters": [],
	"tabName": "1"
}]

Fellow NCCer here. I'm wondering if you have recommendations or plans for an import feature? My current engagement has 8 roles and I'd like to test them all at the same time with different tabs. However, when Burp inevitably dies, all the set up of those 8 tabs is lost. Any chance I can upload a JSON file that would configure my tabs? Thanks

They have to be pressed twice in order for the logs to correspond with the filters. Is this expected?

I'm using regex to match and replace values in POST request
the server is validating Content-Length: value
AutoRepeater is not adding this header.
I'm able to add Content-Length: header but i'm not sure how content-length value can be automatically updated in each request as the value is different for each request because of regex based mach and replace rule?

I suggest add "Regex Match" in “Conditions”、“Log Filter”、“Log Highlighte” Tab。

Burp's tab highlight color is 0xff6633.

I found two issues in requests with Content-Type: multipart/form-data.

In order to better reproduce these issues, I'm sending this base request:

POST / HTTP/1.1
Host: www.google.com
Connection: close
Content-Length: 177
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.0 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary0Bmuvd5DrV6Q690A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.8

------WebKitFormBoundary0Bmuvd5DrV6Q690A
Content-Disposition: form-data; name="csrf_token"

20F4C2E40C658A7CF60080C4342227DD
------WebKitFormBoundary0Bmuvd5DrV6Q690A

1 - If you select as a replacement rule the following configuration:

Type: Request Param Value
Match: 20F4C2E40C658A7CF60080C4342227DD
Replace: aaa
Which: Replace First
Regex Match: Disabled

and send the previous request to AutoRepeater, you will see this modified request:

POST / HTTP/1.1
Host: www.google.com
Connection: close
Content-Length: 277
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.0 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary0Bmuvd5DrV6Q690A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.8

------WebKitFormBoundary0Bmuvd5DrV6Q690A
Content-Disposition: form-data; name="csrf_token"

20F4C2E40C658A7CF60080C4342227DD
------WebKitFormBoundary0Bmuvd5DrV6Q690A
Content-Disposition: form-data; name="csrf_token"

aaa
------WebKitFormBoundary0Bmuvd5DrV6Q690A

so instead of replacing the value in the parameter csrf_token with aaa, it is appending an additional parameter. Ideally, the expected request should be

POST / HTTP/1.1
Host: www.google.com
Connection: close
Content-Length: 277
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.0 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary0Bmuvd5DrV6Q690A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.8

------WebKitFormBoundary0Bmuvd5DrV6Q690A
Content-Disposition: form-data; name="csrf_token"

aaa
------WebKitFormBoundary0Bmuvd5DrV6Q690A

2 - If the request includes the following parameter:

------WebKitFormBoundary0Bmuvd5DrV6Q690A
Content-Disposition: form-data; name="photo_file"; filename=""
Content-Type: application/octet-stream


------WebKitFormBoundary0Bmuvd5DrV6Q690A

the request is not received correctly. For example:

POST / HTTP/1.1
Host: www.google.com
Connection: close
Content-Length: 277
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.0 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary0Bmuvd5DrV6Q690A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.8

------WebKitFormBoundary0Bmuvd5DrV6Q690A
Content-Disposition: form-data; name="csrf_token"

20F4C2E40C658A7CF60080C4342227DD
------WebKitFormBoundary0Bmuvd5DrV6Q690A
Content-Disposition: form-data; name="photo_file"; filename=""
Content-Type: application/octet-stream


------WebKitFormBoundary0Bmuvd5DrV6Q690A

will output this error:

java.lang.UnsupportedOperationException: Action is not supported for this parameter type
	at burp.sve.a(Unknown Source)
	at burp.sve.removeParameter(Unknown Source)
	at burp.Replacement.updateBurpParamName(Replacement.java:148)
	at burp.Replacement.updateRequestParamValue(Replacement.java:265)
	at burp.Replacement.performReplacement(Replacement.java:331)
	at burp.AutoRepeater.lambda$modifyAndSendRequestAndLog$21(AutoRepeater.java:1202)
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)

Currently, AutoRepeater doesn't add the sent requests back to the Burp site map. There should be a toggleable option to enable this functionality in the AutoRepeater menu option.

After log filtering and log highlighting are implemented it would be useful to introduce the ability to set the default options for new tabs to allow users to specify options that are active by default for all new tabs i.e. all modified requests with a 200 status code are highlighted green in the logs.

Considering that the project is really light on documentation, I think it would help if things were labelled more accurately. For example, even though there is a UI option to enable / disable Regex Matches, this does not work. So:

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36

in Request String would not show any hits whereas:

User\-Agent\: Mozilla\/5\.0 \(Macintosh; Intel Mac OS X 10_13_6\) AppleWebKit\/537\.36 \(KHTML, like Gecko\) Chrome\/80\.0\.3984\.0 Safari\/537\.36

would show hits, even though the Regex Match option was not selected

Replacements are currently limited to specific locations ("Request String", "Request Header", etc.). Another replacement type could be added to allow for searching the whole request for replacements, rather than just specific locations.

Hi nccgroup,
I've tried your extension but it looks like the function does not work. i wonder if there is any requirement?
Thanks

I think it would be useful to have the option to filter the logs for a given tab. I don't think it'll be too hard to implement given the code for triggering replacements on conditions can likely be reused to filter the log viewer.

It would be really nice if there would be an option to create payloads that generate collaborator subdomains and track these interactions, and then report back to the Sitemap's issues.

It would be helpful to be able to save and load a set of replacements from a config file that's independent of burp's state.

This would probably be useful for quite a few situations, but as an example, I'm currently using AutoRepeater to aid with SQLi testing, and each test I have to set up quite a few replacements manually. It would be much quicker to be able to load these in from a config file.

It would be useful to be able to perform replacements based on the response of a previous request to the domain. This would fix AutoRepeater not working for sites which rotate CSRF tokens on every request.

As per issue, if there is an easy way, it would be nice to auto-hide the settings pane as it takes up too much space on screen and if more info is added in the result columns, it will be even more.

It could auto-hide, and expand again only when tester moves their cursor over the right side area.

Can you upload this app to BurpSuite's store?

I use the newest build version, when select the url on the proxy list, and choose Send To AutoRepeater, AutoRepeater flash, but in the list in AutoRepeater tab doesn't show any request.

I love the log filter, but would also love to be able to filter out status codes I don't care about (e.g. 404). Currently it only supports:

I've noticed that when the Project Options > Sessions > Use cookies from Burp's cookie jar > Extender box is checked, AutoRepeater will not perform any replacements. This may just be how Burp works, but it took me a bit of digging to find the reason and for some of the operations (remove all cookies) was quite unexpected.

Hi, first i wanna say congrats for that extension, very helpful!

I configured one tab to listen on proxy, and when navigate to same url he repeat everything again, do you have some way to prevent that? (just one request per URL)

Thx

I've run into a possible bug where base replacements aren't being consistently applied. I have a collection of "Match Cookie, Replace Value" rules and it appears that in many cases on the first matching cookie is replaced. Later in the session, all are. I can't figure out

The BApp Store still has v1.0, which may be the cause of some of my other issues. Not sure how this update process works, but might be good to give it a boot.

Pretty simple and straight forward feature request:

Add the ability to follow redirections within auto repeater. I'm thinking it would be useful to have a button similar to how repeater has a button to follow redirections for individual requests/responses, and have a checkbox to automatically follow redirection in the options section.

Find below two crude mockups of what I mean in case it isn't quite clear.

Per Request:

Options:

Current workaround: just send your modified request(s) to repeater and use the "Follow Redirection" button in repeater.

Cheers!

It would be nice if AutoRepeater could try to detect and extract any reflections, or even show a count of reflections in the same way that Flow does:

This maybe can be achieved by having the users define starting and ending points in the replacement payloads.

Of course this could lead to false positives or bugs due to length restrictions, server-side processing of the user input etc.

Now that there's an AutoRepeater menu item I should move the import/export options to it to free up space within the AutoRepeater plugin UI.

The export logic does not check to make sure the data written is valid CSV data.

It would be useful to include an "Add Header" replacement.

When I have an activated base replacement and only a disabled replacement exists, I end up sending two identical requests that reflect the effects of the base replacement.

The disabled replacement doesn't seem to be doing anything, but a request still seems to be fired because it's there.

When using the "Request String" replacement, bytes which do not have a valid character mapped too them are replaced by the invalid character character which is then used as the byte value when the request body is transformed back into a byte[] to send.