Expert Analysis of Recent SaaS Attacks That Shocked Global Brands. Watch now

bishopfox-logo-grey
Get Started

Offensive Tools

Burp Variables: Storage and Reuse Functionality

Burp Variables is a Burp Suite add-on that lets users define and reuse dynamic values in HTTP requests by automatically swapping placeholders with stored data when sending.

Get on GitHub

About Burp Variables

Add variable storage and reuse functionality to outgoing HTTP requests.

Burp Variables is an extension for PortSwigger’s Burp Suite (Burp) tool designed to add variable storage and reuse functionality to outgoing HTTP requests. This productivity-focused extension allows users to insert placeholders into their requests, which are automatically replaced with defined values when the requests are sent. Burp Variables fills a critical feature gap in Burp by introducing variable handling capabilities similar to those available in other web API testing tools like Postman and Insomnia.

  • Burp Variables proves especially valuable for penetration testers and security researchers who encounter mutable session data, ephemeral tokens, or user-specific identifiers during security assessments. 
  • By allowing users to define and reuse variables for these values, this extension streamlines the process of updating requests as these values change, eliminating time-consuming manual edits. 
  • In addition to saving time, this improved workflow also minimizes the risk of mishandling identifiers, which can result in false positives.

Why Burp Variables?

While several extensions attempt to solve the variable handling challenge, most fall short in practical implementation. Having tested various alternatives during real assessments, Burp Variables stands out as the most effective solution because it is purpose-built for this task.

Here are a few reasons why Burp Variables offers superior functionality compared to alternative extensions:

  • Burp Variables stores variable definitions at the project level, allowing different Burp projects to have unique sets of variables.
  • The Burp Variables user interface streamlines the process of adding and editing variables, making it significantly faster and more user-friendly than other solutions. This is essential, as variable handling capabilities are introduced specifically to enhance productivity.
  • When configured to modify proxy traffic, Burp Variables restricts variable replacement to requests that fall within the project's scope, which mitigates the risk of sensitive variable values being leaked to out-of-scope or malicious destinations.

Ultimately, Burp power users stand to benefit from gaining variable handling capabilities; a feature notably absent from the core platform.

Researcher Image Labs page

Bishop Fox

Security Researchers

Due to the nature in which Bishop Fox security experts conduct research and penetration tests, some prefer to remain anonymous. Their work is published under the Bishop Fox name.

BurpSuite Research

Check out these related resources on BurpSuite.

Bishop Fox Burp Suite Extensions for Pen Tests with Montoya API dark background with purple and blue computer power button on right side
Technical

May 25, 2023

Power Up Your Pen Tests: Creating Burp Suite Extensions with the New Montoya API

By Christopher Cerne

Illustration box orange side gray side black background
Technical

Feb 03, 2016

Burp, Collaborate, and Listen: A Pentester Reviews the Latest Burp Suite Addition

By Max Zinkus

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.