Burp Macros: What, Why & How?

While performing manual or automated testing, do you come across problems like:

i) The application keeps terminating the session and you need to restore the session time and again.

ii) To prevent request forgery attacks, some functions may use changing tokens that have to be provided with each request.

iii) In order to test a particular function, you need to perform a series of tasks that need to be repeated in the same order to complete that function multiple times.

If so, then this blog is for you.

Obviously, you can automate the process by writing a python code, however, that requires scripting knowledge. It also requires time and effort on your part to write the code. So, let’s try to overcome these challenges using Burp Macros. It will not only automate this process but also make the testing more efficient. On the plus side, it is pretty simple to use.

What is Burp Macros?

The word Macro literally means “a single instruction that a computer automatically reads as a set of instructions necessary to do a particular task”. Macros is plural of Macro and is also used in Microsoft Word. In Word, you can automate frequently used tasks by creating and running macros. A Macros is “a series of commands and instructions that you group together as a single command to accomplish a task automatically.”

The same feature is available in Burp Suite which will be used to solve the aforementioned problems.

Macros is a pre-defined sequence of one or more requests which can be used while testing a specific flow. This can be accessed under Project Options > Sessions >Macros

Using Burp Macros will make the testing process more effective and can significantly reduce the time to automate complex functionalities within an application.

How is Burp Macros useful in the aforementioned scenarios?

Quick Introduction to Burp Macros & its components

Before diving into the workings of Burp Macros, let us understand how the system works -

As you can see in the image below, Burp Macros can be accessed from Project Options >Sessions tab

Burp Suite > Project Options > Sessions tab

Burp Sessions tab has three components that work together to automate your process. The three components are-

i) Session handling rules which help you to define the rules and scope for each session Burp carries out.

ii) Cookie Jar that stores all the cookies issued by the visited website

iii) Macros defines the sequence of steps that are to be followed in each session.

Once the scope is defined, while it sets a parameter for Burp, it also defines rules that are to be followed like using Burp’s cookie jar. The Cookie jar will provide cookies to maintain valid sessions and Macros will define sequential steps.

You can refer to the following link to get a detailed account of these three components :

Demonstrating Burp Macros using Portswigger lab

For practically showing the working of Burp Macros, we will use the following lab from Portswigger web security academy :

Overview of the lab :

A vulnerable shopping website has a logic flaw in its purchasing flow and we need to exploit it to buy a leather jacket from your user account with credentials wiener:peter.

  • The user account has a $100 store credit and an option to redeem a gift card worth $10 which can be bought from the store and then can be redeemed by entering a code on the “My Account” page, as you can see in the images below :
User account home page after logging in
My account page: Option to redeem a gift card
  • When you explore the home page and move to the end of the page, there is an option to sign up for the newsletter. When you sign up with a random email id, you get a coupon code that can be used to get a discount during checkout.
Sign up for the newsletter
Coupon code which can be used during checkout
  • When we add a gift card to the cart and apply coupon code generated by signing up to the newsletter, we are charged $7 to the store credit and a gift card code is generated which can be redeemed on my account page (image shown earlier).
Final transaction from which we obtain the gift card coupon
  • Now when we go back and redeem the coupon, our new store balance becomes $103, which is the logic flaw in purchasing flow. This is because if we follow the same process a number of times, we can increase our store credit enough to buy the leather jacket, which is the aim of the lab.

Before we figure out the way to do that, let’s calculate how many requests we need to make to collect the required store credit :

Cost of the leather jacket = $1337

Store credit= $103

The amount required to purchase the jacket = $1337–$103 = $1234

Now we collect an extra $3 after redeeming each gift card.

So, the number of times we need to repeat the same process= 1234/3 = 411.3333

411.333 can be rounded up as 412.

This means that we need to repeat the same requests more than 400 times in order to increase our store credit to the required amount. In the next section, I will demonstrate how can we achieve that using Burp Macros

How to use Burp Macros?

As I have already discussed why Burp Macros is useful in this scenario, let me now demonstrate how to use it.

In order to do these iterations, our macro will need session handling information. Hence, we need to configure the same in the Session Handling Rules Editor. To open this, click on “add” under the session handling rules (in Project Options). Define the scope of the attack by clicking on “Add” and from the pop-up under the Scope tab, select “Include all URLs”

The cookie jar component of session handling is linked to the attack
Session handling rules editor to define the scope for session handling

Go back to the “Details” tab in the session handling rules editor and click on add > Run a Macro which will define the sequence of steps.

Macros component is also linked to the attack

Click on ‘add’ again to define the sequence of steps.

To define the sequence of steps for a single request

Macros recorder allows picking requests from your proxy history. For this case, you can include the following sequential requests from your proxy history by using control and left-click :

i) POST/ cart

ii) POST / cart/coupon

iii) POST/cart/checkout

iv) GET/cart/order-confirmation?order-confirmed=true

v) POST/gift-card

An example of how we select the sequential requests from proxy history

Click OK, the Macro editor will appear where you can configure items. Verify if the sequence of items is correct or you can select the request and move up or down.

In few scenarios like ours, two requests might be inter-dependent and we need to specify the relation to Macros so that the same can be repeated in all the requests.

Select the fourth request in Macro editor and click on configure item.

Macro editor with sequential requests
Specify inter-dependencies between the requests

A new dialogue box appears. Under define “custom parameter”, type gift-card and move down on the request to find the gift coupon code and select it to highlight it. Now click OK.

We perform this step because this request generates a gift-card coupon code which is redeemed in the next step. Highlight the coupon code to define the parameter value of this particular request.

Highlight gift-card code so that Macros can pick it up for all requests

Under parameter handling, we can see the “gift-card” parameter which we set in the previous response.

Burp Macros now needs to pick up this code from request 4 and redeem it in request 5. To define this, Click on the drop-down menu and select “Derive from prior response” which makes these two responses interdependent.

This means that now the fifth request in which we enter the gift-card coupon to redeem the coupon, we define the rule for succeeding requests to use the code derived in the previous step.

custom parameter appears which we defined
Inter-dependencies defined

This will keep adding credit to our account. The next step is to test if our Macro runs correctly and performs the intended attack. This is a cool feature because it gives a demo on whether the request is working correctly and all rules are correctly defined. On Macro editor screen, click on Test Macro to check the same.

When the Macro test finishes, we can see the result. We have to check if the fifth request has a generated a coupon code. (derived parameter: gift-card). The status code should also be a success.

Macro demo test results

What if the coupon code is not generated?

You need to recheck your steps if the coupon code is not generated because the purpose of the requests will not be fulfilled.

Some reasons why your coupon code is not generating could be :

  • 4th and 5th requests are not configured correctly
  • The coupon code in the 4th request is not highlighted and so the value of the custom parameter is not defined.

Find the error and test again to see if your demo test is successful this time.

So far, I have discussed Burp Macros and how to configure it so that the demo test is successful which tells us that it is ready to send payloads to the website. However, for this next part, we are required to send Null Payloads to the website.

Null Payloads: Generates payloads whose value is empty string and is used when an attack requires same request to be made repeatedly without any modification to basic template. Used for harvesting cookies for sequencing analysis, denial of service attacks where database is overloaded or keeping session token alive.

As we need to perform an intruder attack with Payload options, we need Burp Suite Pro. In the community edition, we cannot add payloads for the attack. Even if you do not use Burp Pro, but you are still with me, you should definitely see how we set the attack in intruder and complete the lab.

I have used the dark theme on my Burp Suite Pro to differentiate it from the community addition for your clarity.

Using Burp Intruder to send payloads :

Go to the Proxy tab >HTTP History and select GET/my-account request. Also, check that it is the correct request by checking if you can see Infinite money logic flow in the response. Right-click on the request and send the request to the intruder.

Click on the Intruder tab and click the “Positions” tab. We have the default attack: Sniper which is the one we will use. Clear default payloads.

Sniper: Type of attack in Burp intruder. Uses single payload set for all the selections but goes through one selection at a time and till then rest of the selections remain unaffected. It is used for fuzzing a number of request parameters individually for a common vulnerability. E.g. Used for username enumeration

Intruder > Positions

Move to the payloads tab and select payload type as Null Payloads because the value of this payload is an empty string and we will set the payloads to 412 and Macros will do the rest.

Intruder > Payloads: set to 412 as per our calculation

Select the “Options” tab and select thread count as one because it is a multi-step process. So, one request will be sent at a time. Then click on Start attack.

Intruder > Options > Thread count set to: 1

Wait till the attack finishes, then check your store credit. You should be able to buy the jacket with the credit available. You can even add “SIGNUP30" coupon to save some credits.

Add the jacket to the cart and place the order.

Store credit is more than the cost of the jacket

The lab is solved and we have successfully exploited a logic flaw using Burp Macros.

Conclusion

We learned how to use Burp Macros in order to automate complex steps while testing web applications. While this could also be done using programming language, that takes a good amount of time and energy.

I came across Burp Macros while learning “Business Logic Flaws” and it was really helpful for me because I am still learning pentesting and not very comfortable with writing codes yet. So, this is quite useful for someone like me and I decided to write a blog about it.

Also, this was my very first blog and I hope to learn more skills and share more blogs with the community. Even though I am not from a computer background, I am enjoying developing new skill sets in a brand new career.

If there is room for improvement, please advise. Hope you enjoyed the blog. Hoping to make good connections.

Stay safe!

Yet Another Information Security Enthusiast and an Aspiring Pentester, Former Hotelier.