Home

Awesome

Uniqueness plugin for Burp Suite

Build Status

Makes requests unique based on regular expressions. Handy for registration forms and any other endpoint that requires unique values upon every request.

Usage

Install the extension, and a new tab called Uniqueness appears with several options:

Uniqueness tab in Burp

As it can be seen on the example in the screenshot above the list, the regular expression uses the first (number 1) group after evaluation, so the expression must contain at least one group (delimited by parentheses). In regex, the 0th (also considered first by programmers) group contains the whole expression, hence the above clarification regarding our use of the first group, which is number 1, not 0.

The built-in regular expression engine of the Java runtime is used, their interpretation of the standard, including character classes and flags can be found in the JDK documentation of java.util.regex.Pattern.

In the above example, anything between user and the @ sign will be replaced in e-mail addresses starting with vsza+user and ending in @silentsignal.hu. If pressing the Compile button doesn't result in an error message, you're good to go, and can continue with the next step.

In the Session Handling Rules section of the Sessions subtab of the Project options tab, you can add rules that trigger certain actions upon the specified triggers.

Session handling rule with Uniqueness

Give a description you like and in the Actions list, you can add an action that invokes an extension handler, pick Uniqueness. You can also set a scope which limits the subset of requests this rule will apply to on the other tab.

With the session handling rule in place, every tool within the scope of the rule will invoke the magic of this plugin. Below is an example using Repeater.

Repeater being affected by Uniqueness

Building

Execute ant, and you'll have the plugin ready in burp-uniqueness.jar

Dependencies

License

The whole project is available under MIT license, see LICENSE.txt.