Burp Macros: What, Why & How?

While performing manual or automated testing, do you come across problems like:

i) The application keeps terminating the session and you need to restore the session time and again.

ii) To prevent request forgery attacks, some functions may use changing tokens that have to be provided with each request.

iii) In order to test a particular function, you need to perform a series of tasks that need to be repeated in the same order to complete that function multiple times.

If so, then this blog is for you.

Obviously, you can automate the process by writing a python code, however, that requires scripting knowledge. It also requires time and effort on your part to write the code. So, let’s try to overcome these challenges using Burp Macros. It will not only automate this process but also make the testing more efficient. On the plus side, it is pretty simple to use.

What is Burp Macros?

The same feature is available in Burp Suite which will be used to solve the aforementioned problems.

Macros is a pre-defined sequence of one or more requests which can be used while testing a specific flow. This can be accessed under Project Options > Sessions >Macros

Using Burp Macros will make the testing process more effective and can significantly reduce the time to automate complex functionalities within an application.

How is Burp Macros useful in the aforementioned scenarios?

Quick Introduction to Burp Macros & its components

As you can see in the image below, Burp Macros can be accessed from Project Options >Sessions tab

Burp Suite > Project Options > Sessions tab

Burp Sessions tab has three components that work together to automate your process. The three components are-

i) Session handling rules which help you to define the rules and scope for each session Burp carries out.

ii) Cookie Jar that stores all the cookies issued by the visited website

iii) Macros defines the sequence of steps that are to be followed in each session.

Once the scope is defined, while it sets a parameter for Burp, it also defines rules that are to be followed like using Burp’s cookie jar. The Cookie jar will provide cookies to maintain valid sessions and Macros will define sequential steps.

You can refer to the following link to get a detailed account of these three components :

Demonstrating Burp Macros using Portswigger lab

Overview of the lab :

A vulnerable shopping website has a logic flaw in its purchasing flow and we need to exploit it to buy a leather jacket from your user account with credentials wiener:peter.

  • The user account has a $100 store credit and an option to redeem a gift card worth $10 which can be bought from the store and then can be redeemed by entering a code on the “My Account” page, as you can see in the images below :
User account home page after logging in
My account page: Option to redeem a gift card
  • When you explore the home page and move to the end of the page, there is an option to sign up for the newsletter. When you sign up with a random email id, you get a coupon code that can be used to get a discount during checkout.
Sign up for the newsletter
Coupon code which can be used during checkout
  • When we add a gift card to the cart and apply coupon code generated by signing up to the newsletter, we are charged $7 to the store credit and a gift card code is generated which can be redeemed on my account page (image shown earlier).
Final transaction from which we obtain the gift card coupon
  • Now when we go back and redeem the coupon, our new store balance becomes $103, which is the logic flaw in purchasing flow. This is because if we follow the same process a number of times, we can increase our store credit enough to buy the leather jacket, which is the aim of the lab.

Before we figure out the way to do that, let’s calculate how many requests we need to make to collect the required store credit :

Cost of the leather jacket = $1337

Store credit= $103

The amount required to purchase the jacket = $1337–$103 = $1234

Now we collect an extra $3 after redeeming each gift card.

So, the number of times we need to repeat the same process= 1234/3 = 411.3333

411.333 can be rounded up as 412.

This means that we need to repeat the same requests more than 400 times in order to increase our store credit to the required amount. In the next section, I will demonstrate how can we achieve that using Burp Macros

How to use Burp Macros?

In order to do these iterations, our macro will need session handling information. Hence, we need to configure the same in the Session Handling Rules Editor. To open this, click on “add” under the session handling rules (in Project Options). Define the scope of the attack by clicking on “Add” and from the pop-up under the Scope tab, select “Include all URLs”

The cookie jar component of session handling is linked to the attack
Session handling rules editor to define the scope for session handling

Go back to the “Details” tab in the session handling rules editor and click on add > Run a Macro which will define the sequence of steps.

Macros component is also linked to the attack

Click on ‘add’ again to define the sequence of steps.

To define the sequence of steps for a single request

Macros recorder allows picking requests from your proxy history. For this case, you can include the following sequential requests from your proxy history by using control and left-click :

i) POST/ cart

ii) POST / cart/coupon

iii) POST/cart/checkout

iv) GET/cart/order-confirmation?order-confirmed=true

v) POST/gift-card

An example of how we select the sequential requests from proxy history

Click OK, the Macro editor will appear where you can configure items. Verify if the sequence of items is correct or you can select the request and move up or down.

In few scenarios like ours, two requests might be inter-dependent and we need to specify the relation to Macros so that the same can be repeated in all the requests.

Select the fourth request in Macro editor and click on configure item.

Macro editor with sequential requests
Specify inter-dependencies between the requests

A new dialogue box appears. Under define “custom parameter”, type gift-card and move down on the request to find the gift coupon code and select it to highlight it. Now click OK.

We perform this step because this request generates a gift-card coupon code which is redeemed in the next step. Highlight the coupon code to define the parameter value of this particular request.

Highlight gift-card code so that Macros can pick it up for all requests

Under parameter handling, we can see the “gift-card” parameter which we set in the previous response.

Burp Macros now needs to pick up this code from request 4 and redeem it in request 5. To define this, Click on the drop-down menu and select “Derive from prior response” which makes these two responses interdependent.

This means that now the fifth request in which we enter the gift-card coupon to redeem the coupon, we define the rule for succeeding requests to use the code derived in the previous step.

custom parameter appears which we defined
Inter-dependencies defined

This will keep adding credit to our account. The next step is to test if our Macro runs correctly and performs the intended attack. This is a cool feature because it gives a demo on whether the request is working correctly and all rules are correctly defined. On Macro editor screen, click on Test Macro to check the same.

When the Macro test finishes, we can see the result. We have to check if the fifth request has a generated a coupon code. (derived parameter: gift-card). The status code should also be a success.

Macro demo test results

What if the coupon code is not generated?

Some reasons why your coupon code is not generating could be :

  • 4th and 5th requests are not configured correctly
  • The coupon code in the 4th request is not highlighted and so the value of the custom parameter is not defined.

Find the error and test again to see if your demo test is successful this time.

So far, I have discussed Burp Macros and how to configure it so that the demo test is successful which tells us that it is ready to send payloads to the website. However, for this next part, we are required to send Null Payloads to the website.

Null Payloads: Generates payloads whose value is empty string and is used when an attack requires same request to be made repeatedly without any modification to basic template. Used for harvesting cookies for sequencing analysis, denial of service attacks where database is overloaded or keeping session token alive.

As we need to perform an intruder attack with Payload options, we need Burp Suite Pro. In the community edition, we cannot add payloads for the attack. Even if you do not use Burp Pro, but you are still with me, you should definitely see how we set the attack in intruder and complete the lab.

I have used the dark theme on my Burp Suite Pro to differentiate it from the community addition for your clarity.

Using Burp Intruder to send payloads :

Click on the Intruder tab and click the “Positions” tab. We have the default attack: Sniper which is the one we will use. Clear default payloads.

Sniper: Type of attack in Burp intruder. Uses single payload set for all the selections but goes through one selection at a time and till then rest of the selections remain unaffected. It is used for fuzzing a number of request parameters individually for a common vulnerability. E.g. Used for username enumeration

Intruder > Positions

Move to the payloads tab and select payload type as Null Payloads because the value of this payload is an empty string and we will set the payloads to 412 and Macros will do the rest.

Intruder > Payloads: set to 412 as per our calculation

Select the “Options” tab and select thread count as one because it is a multi-step process. So, one request will be sent at a time. Then click on Start attack.

Intruder > Options > Thread count set to: 1

Wait till the attack finishes, then check your store credit. You should be able to buy the jacket with the credit available. You can even add “SIGNUP30" coupon to save some credits.

Add the jacket to the cart and place the order.

Store credit is more than the cost of the jacket

The lab is solved and we have successfully exploited a logic flaw using Burp Macros.

Conclusion

I came across Burp Macros while learning “Business Logic Flaws” and it was really helpful for me because I am still learning pentesting and not very comfortable with writing codes yet. So, this is quite useful for someone like me and I decided to write a blog about it.

Also, this was my very first blog and I hope to learn more skills and share more blogs with the community. Even though I am not from a computer background, I am enjoying developing new skill sets in a brand new career.

If there is room for improvement, please advise. Hope you enjoyed the blog. Hoping to make good connections.

Stay safe!

Yet Another Information Security Enthusiast and an Aspiring Pentester, Former Hotelier.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store