Stepper (Burp Extender): Burp’s best extender for automating sequence of requests so far!
I would like to start the note with gratitude!
I will take this moment to thank my buddy Corey Arthur for developing the Stepper extender, who is well known for developing the Burp’s popular extender Logger++.
Thanks for extending your innovations to help others by creating them as open-source tools, and congrats for your extenders to be one of the official ones in Burp BAPP store, Corey.
What is Stepper?
Stepper is designed to be a natural evolution of Burp Suite’s Repeater tool, providing the ability to create sequences of steps and define regular expressions to extract values from responses which can then be used in subsequent steps.
Understanding and using Stepper extender is way simpler.
Imagine you have a login sequence or any sequence of requests that you want to repeat. We would usually send them one by one to repeater to manually send each request one by one, and transfer the tokens/cookies/values from one request to another to complete a sequence.
It’s easier if you have 3 or 4 requests to validate the sequence manually, right? What if you have more than 10 requests, like an SSO authentication?
Stepper can take care of your requirements.
You just have to send those requests to stepper, one-time configuration of the values to grep from responses to transfer in further requests and hit the Execute sequence button. That’s it, it’s simple. Each time when you want to test the sequence, you will only have to hit the Execute Sequence button. Even the Execute Sequence function is automated through a custom header in a request, which I will cover in some time.
Furthermore, the great advantage of Stepper is that the variables can be called globally across Burp anywhere such as Proxy, Scans, other Extenders, Repeater, Intruder, etc.
I understand, you might get confused on what is sequence and what is that button I am talking about. No worries, I will cover them in a bit.
For technical aspects and installation guide, please do check out Corey’s Stepper repo.
As the repo description says, it’s clear that we can automate a sequence of requests using Stepper. Now the question is: How and Where to use it?
I will cover the missing pieces to understand the extender in this article.
Let me show you the use case of Stepper and where/when to use the Stepper to be more productive.
How to use Stepper?
Now that we have an understanding on the purpose of the tool, we need to know the features of the tool. To use Stepper, you must understand the controls and configurations of it, as follows.
Stepper consists of two main tabs (Preferences & About) and a main function (Add Sequence).
About Tab
The About tab will give you a summary of the Tool, its instructions and necessary tips.
The About tab consists of the examples on how to use the variables inside and outside the Stepper extender.
Preferences Tab
The Preferences tab will let you tweak the tool’s configuration.
Allow Variables Usage section will let you choose which all modules of Burp can use the extracted Stepper variables across the Burp tool.
Export Sequences section allows you to export the sequences and all its contents (like variables, requests, etc.) that were created using the “Add Sequence” function.
Import Sequences section allows you to import the sequences that were exported earlier. You can import multiple Stepper files to import multiple different sequences exported earlier.
The Config section lets you select whether the Stepper extender should update the length of the request after updating the content of the variable in the requests sent.
Add Sequence Function
Sequence is a group of requests that you want to automate.
Add Sequence is not a tab, it is a function which allows you to add new sequences as a tab. You can add multiple sequences (tabs) according to your requirement. When you click the Add Sequence function, it will create a new tab named “Step Sequence” to add the requests to automate.
You can rename the sequence tab by double-clicking it.
Variables are string which can be placed anywhere in the request, and it will replace the particular place with the values provided or extracted while sending the request to the application/server.
Globals sub tab will help you to define global variables and its value by clicking the “Add Variable” button. You can remove the variable by selecting the variable and clicking the “Delete Selected Variable” button.
Execute Sequence is a global button for that selected sequence which will help you to execute all the requests added in the sequence. This button will be visible in any sub tabs inside a sequence.
Add Step is a sub function which allows you to add/craft a request manually or forward the request from anywhere in Burp to the Stepper extender. By clicking “Add Step” or forwarding a request to the sequence will create a new Step tab inside a sequence with a naming format <index number/sort order number>: Step <n’th number of the step>
Pre-Execution Variables will append variables to the request before sending to the server.
Post-Execution Variables will extract values from the response through Regex and store in temporary memory as the variable defined.
Execute Step button will send/execute that particular selected request/Step tab.
Execute Sequence button will send/execute all the requests/Steps tabs, such as execute/send the request of “1: Step 1” followed by “2: Step 2” and so on, in the ascending order of the index numbering.
Using variables inside Stepper Sequences:
Extracted variables can be called in another step inside a sequence, using the variable rule $VAR:VARIABLE_IDENTIFIER$
A variable can be crafted in the request using the variable rule or copied to the clipboard by right-clicking.
Using variables outside Stepper Extender:
Extracted variables can be called anywhere in Burp, outside the Stepper extender, using the variable rule $VAR:SEQUENCE_NAME:VARIABLE_IDENTIFIER$
A variable can be crafted in the request using the variable rule or copied to the clipboard by right-clicking.
Executing Sequences Outside Stepper Extender:
You can execute a sequence from outside the Stepper extender before a request is sent to the server by using the sequence rule “X-Stepper-Execute-Before: SEQUENCENAME” as a header in the request. This header will not be sent to the server.
The usage will be as shown below:
X-Stepper-Execute-Before: SEQUENCENAME
$VAR:SEQUENCE_NAME:VARIABLE_IDENTIFIER$
The workflow will be as shown below:
1. Executes all the requests of the sequence inside stepper.
2. Extracts all the configured variables and pass them to following steps if applicable.
3. Remove the X-Stepper-Execute-Before header from the current request.
4. Pass the extracted variable to the current request
Send the request to the application/server.
Stepper is a great extender to automate requests. However, it is a powerful extender to collaborate with few other extenders and Burp Sessions settings to configure macros for any complicated requests.
Have a look at the article TK (Under construction 😜 Link will be provided once the article gets published) to learn how to set up a macro for complicated requests using Stepper.
Yuthan Balaji K is a Cybersecurity Professional & Pentester. He has led several event management, delivered public speaking, and managed large teams as part of professional acting before switching his career into cybersecurity.
