Burp Macros: What, Why & How?

What is Burp Macros?

Quick Introduction to Burp Macros & its components

Burp Suite > Project Options > Sessions tab

Demonstrating Burp Macros using Portswigger lab

  • The user account has a $100 store credit and an option to redeem a gift card worth $10 which can be bought from the store and then can be redeemed by entering a code on the “My Account” page, as you can see in the images below :
User account home page after logging in
My account page: Option to redeem a gift card
  • When you explore the home page and move to the end of the page, there is an option to sign up for the newsletter. When you sign up with a random email id, you get a coupon code that can be used to get a discount during checkout.
Sign up for the newsletter
Coupon code which can be used during checkout
  • When we add a gift card to the cart and apply coupon code generated by signing up to the newsletter, we are charged $7 to the store credit and a gift card code is generated which can be redeemed on my account page (image shown earlier).
Final transaction from which we obtain the gift card coupon
  • Now when we go back and redeem the coupon, our new store balance becomes $103, which is the logic flaw in purchasing flow. This is because if we follow the same process a number of times, we can increase our store credit enough to buy the leather jacket, which is the aim of the lab.

How to use Burp Macros?

The cookie jar component of session handling is linked to the attack
Session handling rules editor to define the scope for session handling
Macros component is also linked to the attack
To define the sequence of steps for a single request
An example of how we select the sequential requests from proxy history
Macro editor with sequential requests
Specify inter-dependencies between the requests
Highlight gift-card code so that Macros can pick it up for all requests
custom parameter appears which we defined
Inter-dependencies defined
Macro demo test results

What if the coupon code is not generated?

  • 4th and 5th requests are not configured correctly
  • The coupon code in the 4th request is not highlighted and so the value of the custom parameter is not defined.

Using Burp Intruder to send payloads :

Intruder > Positions
Intruder > Payloads: set to 412 as per our calculation
Intruder > Options > Thread count set to: 1
Store credit is more than the cost of the jacket

Conclusion

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Akshita Gupta

Akshita Gupta

30 Followers

Yet Another Information Security Enthusiast and an Aspiring Pentester, Former Hotelier.