Custom action worked example

Custom actions are scripts that run directly in Burp Repeater to automate tasks and extract information during manual testing.

In the worked example below, we'll use Java to write a custom action that extracts a CSRF token from the response body, modifies it, then logs the modified CSRF token.

In this example, our custom action script is:

Step 1: Get the response body

This retrieves the body of the HTTP response and stores it as a string in the response variable.

Breakdown of the code:

• requestResponse represents the request/response pair the action is applied to.

• response().bodyToString() gets the response object and converts the body to a string.

Step 2: Check the response body for the CSRF token

This checks whether the response body object contains the string csrf=. If the string is found, the statement returns true.

Step 3: Extract and process the token

This runs if the response body contains the string csrf=. It finds the last occurrence of csrf=, extracts the 16-character token that follows, and modifies it by replacing certain characters.

Breakdown of the code:

• lastIndexOf("csrf=") returns the index of the last occurrence of csrf= in the response.

• +5 moves the index to the start of the actual token, just after csrf=.

• response.substring(csrfIndex, csrfIndex + 16) extracts the 16 characters of the token from the response, starting at csrfIndex and ending at csrfIndex + 16.

• replace("a", "b").replace("c", "d") replaces characters a with b, and c with d in the extracted CSRF token.

Step 4: Log the result

This logs the modified CSRF token to the Output panel in the Custom actions side panel.

Step 5: Handle the situation where no token is found

If the csrf= string isn't found in Step 2, this logs the message No CSRF token.