Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/daffainfo/match-replace-burp

Useful "Match and Replace" burpsuite rules
https://github.com/daffainfo/match-replace-burp

bugbounty burpsuite hacktoberfest pentest

Last synced: about 1 month ago
JSON representation

Useful "Match and Replace" burpsuite rules

Host: GitHub
URL: https://github.com/daffainfo/match-replace-burp
Owner: daffainfo
License: mit
Created: 2022-05-04T16:23:29.000Z (over 2 years ago)
Default Branch: main
Last Pushed: 2023-09-26T23:41:07.000Z (about 1 year ago)
Last Synced: 2024-08-05T00:04:25.870Z (4 months ago)
Topics: bugbounty, burpsuite, hacktoberfest, pentest
Homepage:
Size: 14.6 KB
Stars: 277
Watchers: 5
Forks: 45
Open Issues: 0
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE

Awesome Lists containing this project

awesome-burp-extensions - match-replace-burp - Useful Match and Replace BurpSuite Rules (Custom Features)
awesome-hacking-lists - daffainfo/match-replace-burp - Useful "Match and Replace" burpsuite rules (Others)

README

# Match Replace Burp
Useful Match and Replace BurpSuite Rules

## Finding hidden buttons, forms, and other UI elements
Many websites contain hidden buttons, forms, and other UI elements like
```html

document.getElementbyTagName("test").hidden=true
test
```

* Show Hidden UI (1)

* Show Hidden UI (2)

* Change disable to enable

## Changing `false` to `true`
Sometimes we can get hidden features by changing from `false` to `true`. The example:

* Changing role from normal user to admin

* Make email verified

## Bypass WAF
Bypassing WAF by adding some headers

* Adding `X-Forwarded-Host: 127.0.0.1`

> Create another rule but change the header to:
```
X-Forwarded-Port: 127.0.0.1
X-Forwarded-By: 127.0.0.1
X-Forwarded-Scheme: 127.0.0.1
X-Frame-Options: Allow
X-Forwarded-For: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Real-IP: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Cluster-Client-IP: 127.0.0.1
True-Client-IP: 127.0.0.1
Client-IP: 127.0.0.1
Origin: null
Origin: Domain.attacker.com
```

## Finding IDOR
By changing original user UUID to another UUID

> Create another rule but change the `type` to "Request First Line"

## Finding XSS
By adding some XSS payload into the request

* Finding XSS on `User-Agent`

* Finding XSS on `Referer`

* Auto replace user input with XSS payload

> So by just inputting the words `xss_payload` on the website it will be immediately replaced with `">`
> Change the XSS payload as you want

## MISC
Some random match and replace rules
* Finding [CVE-2021-44228](https://github.com/advisories/GHSA-jfh8-c2jp-5v3q)

> Create some another rules to look for them in headers, parameters and more. Because log4j can be found anywhere

* Help companies to identify your traffic and separate them from malicious traffic by adding a custom header

References:
- https://twitter.com/PTestical/status/1413497660133318659
- https://twitter.com/HolyBugx/status/1355472991061213184
- https://twitter.com/intigriti/status/1192103070072741894
- https://twitter.com/payloadartist/status/1469582893772984322
- https://twitter.com/payloadartist/status/1422247377516122114
- https://twitter.com/hackerscrolls/status/1247177578269597698

> Soon will be updated again