Expert Analysis of Recent SaaS Attacks That Shocked Global Brands. Watch now

bishopfox-logo-grey
Get Started

Burp Variables: A Burp Suite Extension

By:
Burp Variables Burp Suite Extension blog post cover image – Bishop Fox cybersecurity blog on automating variable handling in Burp Suite.

Share

TL;DR: Burp Suite has long been the industry standard for web application testing, thanks in large part to its extensibility. Bishop Fox has built on that tradition with Burp Variables, a new extension that fills a major gap in Burp’s workflow: variable handling.  

Burp Variables lets testers define and reuse variables (like tokens, session IDs, or user-specific values) across requests, automatically updating them as they change. This saves time, reduces manual errors, and minimizes the risk of mishandled identifiers. Unlike other attempts, it’s purpose-built for practicality: 

Project-level variable sets keep assessments clean and organized.
A streamlined UI makes adding/editing variables fast.
Scoped proxy replacement ensures sensitive data isn’t leaked out of bounds.

For penetration testers tired of repetitive request edits, Burp Variables introduces Postman/Insomnia-style variable handling into Burp, boosting productivity and accuracy. Available now via the BApp Store or GitHub.

Why Burp Suite

Burp Suite is more than just a tool; it’s a staple in the security industry with over 70,000 professionals and more than 8,000 companies worldwide relying on it for web application testing. Burp has earned its reputation as the go-to platform for penetration testers and researchers with a big part of this success coming from its extensibility. Extensions let practitioners adapt Burp to new testing scenarios, automate tedious workflows, and share solutions with a community that’s constantly pushing the boundaries of application security.

At Bisop Fox, we’ve seen firsthand how powerful this extensibility can be. When PortSwigger launched Montoya API in Burp Suite, we showcased how testers can build creative and practical extensions to customize Burp to their unique needs. It’s in that same spirit of innovation and collaboration that we’ve continued to develop our own contributions. The latest being a new extension designed to tackle one of the most persistent pain points in Burp workflows.

New Extension – Burp Variables

    Burp Variables is an extension for PortSwigger’s Burp Suite (Burp) tool designed to add variable storage and reuse functionality to outgoing HTTP requests. This productivity-focused extension allows users to insert placeholders into their requests, which are automatically replaced with defined values when the requests are sent. Burp Variables fills a critical feature gap in Burp by introducing variable handling capabilities similar to those available in other web API testing tools like Postman and Insomnia.

    Use Case

      Burp Variables proves especially valuable for penetration testers and security researchers who encounter mutable session data, ephemeral tokens, or user-specific identifiers during security assessments.

      By allowing users to define and reuse variables for these values, this extension streamlines the process of updating requests as these values change, eliminating time-consuming manual edits.

      In addition to saving time, this improved workflow also minimizes the risk of mishandling identifiers, which can result in false positives.

      Why Burp Variables?

      While several extensions attempt to solve the variable handling challenge, most fall short in practical implementation. Having tested various alternatives during real assessments, Burp Variables stands out as the most effective solution because it is purpose-built for this task.

      Here are a few reasons why Burp Variables offers superior functionality compared to alternative extensions: 

      • Burp Variables stores variable definitions at the project level, allowing different Burp projects to have unique sets of variables.
      • The Burp Variables user interface streamlines the process of adding and editing variables, making it significantly faster and more user-friendly than other solutions. This is essential, as variable handling capabilities are introduced specifically to enhance productivity.
      • When configured to modify proxy traffic, Burp Variables restricts variable replacement to requests that fall within the project's scope, which mitigates the risk of sensitive variable values being leaked to out-of-scope or malicious destinations.

      Ultimately, Burp power users stand to benefit from gaining variable handling capabilities; a feature notably absent from the core platform.

      Getting Started

        Getting started requires minimal setup, but understanding the configuration options maximizes the extension's effectiveness.

        This section provides instructions for installing and using Burp Variables.

        Installation and Basic Setup

        1. Install Burp Variables from Burp's BApp Store, or download and install the most recent release from the original source GitHub repository available at https://github.com/0xceba/burp_variables.

        2. Add name:value variable pairs to the table in the Variables tab provided by the extension, as shown below:

        Burp Variables 1

        Figure 1 - Adding a Variable to the Variables Tab

        Incorporating Variables into Requests

        3. Include variable references in a request by using the context menu added by the extension or by manually adding the variable name, as shown below:

        Burp Variables 2

        Figure 2 - Including variable references in a request

        Verification and Troubleshooting

        4. Send the request and confirm that the variable references were replaced by viewing the request in the Logger tool, as shown below:

        Burp Variables 3

        Figure 3 - Logger tool showing replaced variable values

        Configuration Best Practices

        • Establishing consistent variable naming conventions improves clarity and reduces errors during assessments.
        • Before enabling proxy modification features, ensure your project scope is properly configured. As noted in the extension documentation, Burp Variables restricts variable replacement to requests within the defined scope, preventing accidental substitution in out-of-scope traffic.
        • For sensitive values like authentication tokens, remember to update variable definitions as tokens change and clear sensitive values when switching between projects or ending testing sessions.

        Final Thoughts

        Burp Variables solves a common testing frustration: constantly updating the same session tokens, user IDs, and API keys across multiple saved requests. Define these values once as variables, update them centrally when they change, and let the extension handle the rest.

        For security professionals tired of repetitive request editing, Burp Variables is available now in Burp's BApp Store. Download it and spend less time managing requests, more time finding vulnerabilities.

        Subscribe to our blog

        Be first to learn about latest tools, advisories, and findings.

        Default fox headshot purple

        About the author, Bishop Fox

        Security Researchers

        This represents research and content from the Bishop Fox consulting team.

        More by Bishop

        Recommended Posts

        You might be interested in these related posts.

        May 25, 2023

        Power Up Your Pen Tests: Creating Burp Suite Extensions with the New Montoya API

        Apr 01, 2023

        Powering Up Burp Suite: Building Custom Extensions for Advanced Web Application Testing

        Sep 22, 2025

        What Does “Good” Look Like in Red Teaming

        Sep 16, 2025

        State of the SaaS Security Union

        This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.