Macros Demystified

How to Get Away with Murder Macros

Have you ever felt personally victimized by Burp Suite’s Macros? Well fear not, after watching these three videos and following along with the exercises (including a custom practice app that we made just for you!), you’ll be a Macro Magician in no time! 

1. Basics of Macros
2. Gathering Dynamic Values
3. Macros for Complex Situations

Basics of Macros

In this first video, I cover a couple of basics of Macros: what they are, why we might use them, and 2 demos of basic usage.

I recommend that while watching the video, you follow along with the demos that use this lab: https://portswigger.net/web-security/csrf/lab-no-defenses

Gathering Dynamic Values

In this second video, I cover the next layer of complexity with macros: gathering dynamic values from responses and using them in following requests. I also touch on some related extensions: 

• Token Extractor (this one is covered the most)
• Custom Parameter Handler
• Add Custom Header
• Authentication Token Obtain and Replace
• Stepper

Again, I recommend that you follow along with the demo using this lab: https://portswigger.net/web-security/csrf/bypassing-token-validation/lab-token-not-tied-to-user-session

For additional practice on this same concept as well as incorporating some elements from the first video, I recommend downloading OWASP’s Juice Shop and creating a login macro. Note that the tricky thing with that is the login request doesn’t contain a “Set-Cookie” header in the response. 

This one might be a bit complex, but another practice lab could be to make a macro to gather the CSRF token and CSRF key (cookie) to repeatedly change a user’s email via this lab: https://portswigger.net/web-security/csrf/bypassing-token-validation/lab-token-tied-to-non-session-cookie. Assume that you need to use a new CSRF Key cookie and CSRF token in each email change request. Hint: you’ll have two requests in the macro, one to get the initial CSRF token, CSRF key cookie, and unauthenticated session cookie, and the other to get the authenticated session. 

Macros for Complex Situations

In this last video, I cover and demonstrate macros for very complex situations that require multiple requests and multiple variable updates. 

The key steps that I cover for dealing with complex macros are:

1. Replicate browser behavior in Repeater
2. Look for reductions in steps
3. Write down required URLs

4. Select Macro steps and test
5. Alternate between setting tokens and testing your Macro

Unsurprisingly, I recommend that you follow along with the demo using this lab: https://portswigger.net/web-security/oauth/lab-oauth-authentication-bypass-via-oauth-implicit-flow

Because that last concept is a real doozy, and you may not even feel confident after following along, we’ve built a custom application (RIGHT HERE) for you to run to be able to practice the concepts taught in all 3 of these videos.

Now, with all of that, hopefully you’ve conquered any lingering fears of Macros and can use them to aid your testing process.

Remember that their uses aren’t just limited to the examples that I’ve shown above, so get creative with it! Proactively think about when the introduction of a Macro might either save you time or allow you to introduce automation. In the meantime, check out more of our technical blogs on Web Application Penetration Testing here.