Help With Removing HTTP Header Info In Burp Suite Using Python ExtensionApplication Security

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATION
Already a Member Login Here

Home Forums Application Security Help With Removing HTTP Header Info In Burp Suite Using Python Extension

This topic contains 1 reply, has 2 voices, and was last updated by  Rjune 2 years, 4 months ago.

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #84696

    Ryno23
    Participant

    Hey Guys,

    So I’m currently trying to automate some of my web application testing requests through Burp Suite using the Python Scripting extension. I have a basic python script that can append the parameter values I need to the request before it leaves Burp. However, my script only appends my parameters to the end of the header info and leaves the old parameters in place which gives me two entries for a given parameter.

    Basically what it comes down to is that I want to either find/replace or remove/append a parameter. I’m a novice at python coding so forgive me if the code below is sloppy or can be done an easier way. I want to replace the values of the x-app-id and the Authorization token within the header field. Like I said before, my script below only appends those values and does not replace/remove the old ones. I’ve tried a few different things but I don’t have quite the knowledge to get it tailored to how I need it. If anyone could send any tips or point anything out here I would be greatly thankful.

    Best Regards,

    Ryno23

    —————————————————————————–

    # These are java classes, being imported using python syntax
    from burp import IBurpExtender
    from burp import IHttpListener

    class BurpExtender(IBurpExtender, IHttpListener):
    def registerExtenderCallbacks(self, callbacks):
    self._callbacks = callbacks
    self._helpers = callbacks.getHelpers()
    callbacks.setExtensionName(“Auth and x-app-id Hardcodes”)
    callbacks.registerHttpListener(self)
    return

    def processHttpMessage(self, toolFlag, messageIsRequest, currentRequest):

    # Only process requests
    if not messageIsRequest:
    return
    requestInfo = self._helpers.analyzeRequest(currentRequest)
    bodyBytes = currentRequest.getRequest()[requestInfo.getBodyOffset():]
    bodyStr = self._helpers.bytesToString(bodyBytes)

    # Request Header information
    headers = requestInfo.getHeaders()
    newHeaders = list(headers)

    # Make the hardcoded changes to x-app-id and Authorization values
    x_app = “Testing”
    newHeaders.append(“x-app-id: ” + x_app)
    auth = “Testing1234567890”
    newHeaders.append(“Authorization: ” + auth)

    # Build the new message with updated parameters
    newMessage = self._helpers.buildHttpMessage(newHeaders, bodyStr)
    print self._helpers.bytesToString(newMessage)
    currentRequest.setRequest(newMessage)

    #95262

    Rjune
    Participant

    x_app = “Testing”
    newHeaders.append(“x-app-id: ” + x_app)
    auth = “Testing1234567890”
    newHeaders.append(“Authorization: ” + auth)

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel