Stepper
A Multi-Stage Repeater Replacement For Burp Suite
Stepper is designed to be a natural evolution of Burp Suite’s Repeater tool, providing the ability to create sequences of steps and define regular expressions to extract values from responses which can then be used in subsequent steps.
Basic Usage
1. Create a new sequence. Double-click the title to set a suitable name.
2. Add your steps to the sequence manually, or using the context menu entry.
3. Optional: Configure the global variables to use for the sequence.
4. Optional: Define variables for steps.
- Pre-execution variables obtain their value before the step is run. Useful for one-time passcodes etc.
- Post-execution variables extract their value from the step’s response using regular expressions.
5. Execute the entire sequence using the button at the bottom of the panel.
Tip: You can execute a single step to test your regular expressions using the button in the top right.
Steps can be rearranged by right-clicking their tab, and selecting their destination.
Variables
Variables can be defined for use within requests made as part of a sequence and can take three formats.
Global Variables: Static values available to all requests in the sequence.
Pre-execution Variables: Prompts the user for a value. Can be used in the step which it is defined and any subsequent requests.
Post-execution Variables: Define a regex to extract data from a steps response to be used in subsequent requests. All variables may be updated in later steps after their definition.
Post-Execution (Extraction / Regex) Variables
Variables which are defined with a regular expression are updated each time the step is executed. The regular expression is executed on the response received, with the first match being used as the new value. If you’re already a Regex master, this won’t be new information to you, but for everybody else the quick overview below shows how to use capture groups to tell the extension which value you want to use.
- If the defined regular expression has no groups defined, the whole match will be used.
- If the regular expression defines capture groups, the first group will be used.
- If groups are required but should not be used as the value, a non-capturing group may be used. e.g. (?:REGEX)
Examples
Response
{"id":15, "name": "CoreyD97"}
| Expression | Result | Reason |
|---|---|---|
| “name”: “.*?” | “name”: “CoreyD97” | No capture groups defined. Entire match returned. |
| “name”: “(.*?)“ | CoreyD97 | Capture group defined. Returned as result. |
| “(name|username)”: “(.*)“ | name | Two capture groups defined. First one returned. |
| “(?:name|username)“: “(.*)“ | CoreyD97 | Non-capturing group is ignored. Capture group returned. |
Variable Usage
To use a variable in a request after it has been defined, either use the option in the context menu to copy the parameter to the clipboard, or manually insert it by typing it as below:
- In a sequence:
$VAR:VARIABLE_IDENTIFIER$
- In other tools (Repeater, Intruder):
$VAR:SEQUENCE_NAME:VARIABLE_IDENTIFIER$
Executing Sequences via Other Tools (e.g. Intruder)
In some situations you might need to execute a sequence before making a request in another tool, for example to use intruder on an endpoint which requires a token to be generated prior to every request and included in the request body. While Burp Macros may be used to achieve this in most cases, some instances exist which cannot be solved using macros.
To solve this, you may define a sequence to carry out the steps to generate a token and extract its value into a variable. You could then include this variable into your request as usual, and add the following header to the request.
X-Stepper-Execute-Before: SEQUENCENAME
Any time a request containing this header is made by Burp, the specified sequence will be executed before the request is sent and any associated variables will be updated.
Now you know how to use it, give it a try! If you have any feature requests or bug reports please open an issue on GitHub and I’ll be happy to help.
Download from GitHub below: