Have you ever felt personally victimized by Burp Suite’s Macros? Well fear not, after watching these three videos and following along with the exercises (including a custom practice app that we made just for you!), you’ll be a Macro Magician in no time!
Basics of Macros
Gathering Dynamic Values
Macros for Complex Situations
Basics of Macros
In this first video, I cover a couple of basics of Macros: what they are, why we might use them, and 2 demos of basic usage.
For additional practice on this same concept as well as incorporating some elements from the first video, I recommend downloading OWASP’s Juice Shop and creating a login macro. Note that the tricky thing with that is the login request doesn’t contain a “Set-Cookie” header in the response.
This one might be a bit complex, but another practice lab could be to make a macro to gather the CSRF token and CSRF key (cookie) to repeatedly change a user’s email via this lab: https://portswigger.net/web-security/csrf/bypassing-token-validation/lab-token-tied-to-non-session-cookie. Assume that you need to use a new CSRF Key cookie and CSRF token in each email change request. Hint: you’ll have two requests in the macro, one to get the initial CSRF token, CSRF key cookie, and unauthenticated session cookie, and the other to get the authenticated session.
Macros for Complex Situations
In this last video, I cover and demonstrate macros for very complex situations that require multiple requests and multiple variable updates.
The key steps that I cover for dealing with complex macros are:
Replicate browser behavior in Repeater
Look for reductions in steps
Write down required URLs
Optionally: mark where parameters are set and used
Select Macro steps and test
Alternate between setting tokens and testing your Macro
Because that last concept is a real doozy, and you may not even feel confident after following along, we’ve built a custom application (RIGHT HERE) for you to run to be able to practice the concepts taught in all 3 of these videos.
What is this app? A stock trading app that has a multi-step process. In order to efficiently test for the stored Cross-Site-Scripting (XSS) that exists on the application, you’ll need to make a macro! Also, be sure to have your volume up when you use the app…
Is there anything else I should know? Here are the built-in users:
Here are the Authorized Tickers:
I’m having a hard time replicating the flow, can I have a hint? (Click to reveal hint)
If there’s something you can’t see, remember to check your responses. Yes, we are encouraging you to test in Burp!
I’m still having a hard time, but this time I can’t figure out how to have the whole flow automated. CAN I PLEASE GET ANOTHER HINT? (Click to reveal hint)
Remember that you can have both pre and post-request macros…you might need both here 😉
Ok, I’ve got the macro and I’ve found the XSS, is there anything else I can do?
You can try to replicate testing for XSS in Intruder by making sure that you’re following redirects and using Grep – Extract to return the outcome of your payload.
Another thing you can try is to go in blindfolded and practice brute-forcing at each step assuming no prior knowledge. For example, brute-force usernames, passwords, the MFA code, and ticker. You might have a harder time brute-forcing the longer CSRF token or the transaction ID, but you’re welcome to do that too!
Now, with all of that, hopefully you’ve conquered any lingering fears of Macros and can use them to aid your testing process.
Remember that their uses aren’t just limited to the examples that I’ve shown above, so get creative with it! Proactively think about when the introduction of a Macro might either save you time or allow you to introduce automation. In the meantime, check out more of our technical blogs on Web Application Penetration Testing here.
Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
YouTube session cookie.
Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.
Analytics cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.
Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
Cookies are small text files that can be used by websites to make a user's experience more efficient. The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission. This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.
Discover why security operations teams choose NetSPI.